Vulnerabilities |
5 via 10 paths |
|---|---|
Dependencies |
137 |
Source |
Docker |
Target OS |
ubuntu:19.10 |
medium severity
- Vulnerable module: curl
- Introduced through: curl@7.65.3-1ubuntu3 and curl/libcurl4@7.65.3-1ubuntu3
- Fixed in: 7.65.3-1ubuntu3.1
Detailed paths
-
Introduced through: buildpack-deps@19.10-curl › curl@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@19.10-curl › curl/libcurl4@7.65.3-1ubuntu3
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:19.10 relevant fixed versions and status.
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
Remediation
Upgrade Ubuntu:19.10 curl to version 7.65.3-1ubuntu3.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-8177
- https://security-tracker.debian.org/tracker/CVE-2020-8177
- https://www.debian.org/security/2021/dsa-4881
- https://curl.se/docs/CVE-2020-8177.html
- https://hackerone.com/reports/887462
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
medium severity
- Vulnerable module: curl
- Introduced through: curl@7.65.3-1ubuntu3 and curl/libcurl4@7.65.3-1ubuntu3
- Fixed in: 7.65.3-1ubuntu3.1
Detailed paths
-
Introduced through: buildpack-deps@19.10-curl › curl@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@19.10-curl › curl/libcurl4@7.65.3-1ubuntu3
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:19.10 relevant fixed versions and status.
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
Remediation
Upgrade Ubuntu:19.10 curl to version 7.65.3-1ubuntu3.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-8169
- https://security-tracker.debian.org/tracker/CVE-2020-8169
- https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf
- https://www.debian.org/security/2021/dsa-4881
- https://curl.se/docs/CVE-2020-8169.html
- https://hackerone.com/reports/874778
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
medium severity
- Vulnerable module: glibc/libc-bin
- Introduced through: glibc/libc-bin@2.30-0ubuntu2.1 and glibc/libc6@2.30-0ubuntu2.1
- Fixed in: 2.30-0ubuntu2.2
Detailed paths
-
Introduced through: buildpack-deps@19.10-curl › glibc/libc-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@19.10-curl › glibc/libc6@2.30-0ubuntu2.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:19.10 relevant fixed versions and status.
An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
Remediation
Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
- https://security-tracker.debian.org/tracker/CVE-2020-1751
- https://security.gentoo.org/glsa/202006-04
- https://sourceware.org/bugzilla/show_bug.cgi?id=25423
- https://security.netapp.com/advisory/ntap-20200430-0002/
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751
- https://usn.ubuntu.com/4416-1/
low severity
- Vulnerable module: glibc/libc-bin
- Introduced through: glibc/libc-bin@2.30-0ubuntu2.1 and glibc/libc6@2.30-0ubuntu2.1
- Fixed in: 2.30-0ubuntu2.2
Detailed paths
-
Introduced through: buildpack-deps@19.10-curl › glibc/libc-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@19.10-curl › glibc/libc6@2.30-0ubuntu2.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:19.10 relevant fixed versions and status.
A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
Remediation
Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752
- https://sourceware.org/bugzilla/show_bug.cgi?id=25414
- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c
- https://security-tracker.debian.org/tracker/CVE-2020-1752
- https://security.gentoo.org/glsa/202101-20
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200511-0005/
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752
- https://usn.ubuntu.com/4416-1/
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c
low severity
- Vulnerable module: glibc/libc-bin
- Introduced through: glibc/libc-bin@2.30-0ubuntu2.1 and glibc/libc6@2.30-0ubuntu2.1
- Fixed in: 2.30-0ubuntu2.2
Detailed paths
-
Introduced through: buildpack-deps@19.10-curl › glibc/libc-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@19.10-curl › glibc/libc6@2.30-0ubuntu2.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:19.10 relevant fixed versions and status.
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
Remediation
Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126
- https://security-tracker.debian.org/tracker/CVE-2019-19126
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/
- https://sourceware.org/bugzilla/show_bug.cgi?id=25204
- https://usn.ubuntu.com/4416-1/
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/