Vulnerabilities |
7 via 24 paths |
---|---|
Dependencies |
408 |
Source |
Docker |
Target OS |
ubuntu:19.10 |
medium severity
- Vulnerable module: curl
- Introduced through: curl@7.65.3-1ubuntu3, curl/libcurl3-gnutls@7.65.3-1ubuntu3 and others
- Fixed in: 7.65.3-1ubuntu3.1
Detailed paths
-
Introduced through: buildpack-deps@eoan › curl@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@eoan › curl/libcurl3-gnutls@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@eoan › curl/libcurl4@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@eoan › curl/libcurl4-openssl-dev@7.65.3-1ubuntu3
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl
package and not the curl
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:19.10
relevant fixed versions and status.
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
Remediation
Upgrade Ubuntu:19.10
curl
to version 7.65.3-1ubuntu3.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-8177
- https://security-tracker.debian.org/tracker/CVE-2020-8177
- https://www.debian.org/security/2021/dsa-4881
- https://curl.se/docs/CVE-2020-8177.html
- https://hackerone.com/reports/887462
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
medium severity
- Vulnerable module: curl
- Introduced through: curl@7.65.3-1ubuntu3, curl/libcurl3-gnutls@7.65.3-1ubuntu3 and others
- Fixed in: 7.65.3-1ubuntu3.1
Detailed paths
-
Introduced through: buildpack-deps@eoan › curl@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@eoan › curl/libcurl3-gnutls@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@eoan › curl/libcurl4@7.65.3-1ubuntu3
-
Introduced through: buildpack-deps@eoan › curl/libcurl4-openssl-dev@7.65.3-1ubuntu3
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl
package and not the curl
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:19.10
relevant fixed versions and status.
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
Remediation
Upgrade Ubuntu:19.10
curl
to version 7.65.3-1ubuntu3.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-8169
- https://security-tracker.debian.org/tracker/CVE-2020-8169
- https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf
- https://www.debian.org/security/2021/dsa-4881
- https://curl.se/docs/CVE-2020-8169.html
- https://hackerone.com/reports/874778
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
medium severity
- Vulnerable module: glibc/libc-bin
- Introduced through: glibc/libc-bin@2.30-0ubuntu2.1, glibc/libc-dev-bin@2.30-0ubuntu2.1 and others
- Fixed in: 2.30-0ubuntu2.2
Detailed paths
-
Introduced through: buildpack-deps@eoan › glibc/libc-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc-dev-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc6@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc6-dev@2.30-0ubuntu2.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc
package and not the glibc
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:19.10
relevant fixed versions and status.
An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
Remediation
Upgrade Ubuntu:19.10
glibc
to version 2.30-0ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
- https://security-tracker.debian.org/tracker/CVE-2020-1751
- https://security.gentoo.org/glsa/202006-04
- https://sourceware.org/bugzilla/show_bug.cgi?id=25423
- https://security.netapp.com/advisory/ntap-20200430-0002/
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751
- https://usn.ubuntu.com/4416-1/
medium severity
- Vulnerable module: openexr/libopenexr-dev
- Introduced through: openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1 and openexr/libopenexr23@2.2.1-4.1ubuntu1.1
- Fixed in: 2.2.1-4.1ubuntu1.2
Detailed paths
-
Introduced through: buildpack-deps@eoan › openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1
-
Introduced through: buildpack-deps@eoan › openexr/libopenexr23@2.2.1-4.1ubuntu1.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openexr
package and not the openexr
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:19.10
relevant fixed versions and status.
An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.
Remediation
Upgrade Ubuntu:19.10
openexr
to version 2.2.1-4.1ubuntu1.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-15306
- https://security-tracker.debian.org/tracker/CVE-2020-15306
- https://www.debian.org/security/2020/dsa-4755
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKDRVXORM2VLNHRLFKS3JHRABSHZ5W5M/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SHYAKRAUEMYVCV7U5WLDRE2YFGSV5PIT/
- https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md
- https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md
- https://github.com/AcademySoftwareFoundation/openexr/pull/738
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.2
- https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00048.html
- https://usn.ubuntu.com/4418-1/
- https://security.gentoo.org/glsa/202107-27
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKDRVXORM2VLNHRLFKS3JHRABSHZ5W5M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SHYAKRAUEMYVCV7U5WLDRE2YFGSV5PIT/
medium severity
- Vulnerable module: openexr/libopenexr-dev
- Introduced through: openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1 and openexr/libopenexr23@2.2.1-4.1ubuntu1.1
- Fixed in: 2.2.1-4.1ubuntu1.2
Detailed paths
-
Introduced through: buildpack-deps@eoan › openexr/libopenexr-dev@2.2.1-4.1ubuntu1.1
-
Introduced through: buildpack-deps@eoan › openexr/libopenexr23@2.2.1-4.1ubuntu1.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openexr
package and not the openexr
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:19.10
relevant fixed versions and status.
An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.
Remediation
Upgrade Ubuntu:19.10
openexr
to version 2.2.1-4.1ubuntu1.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-15305
- https://security-tracker.debian.org/tracker/CVE-2020-15305
- https://www.debian.org/security/2020/dsa-4755
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKDRVXORM2VLNHRLFKS3JHRABSHZ5W5M/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SHYAKRAUEMYVCV7U5WLDRE2YFGSV5PIT/
- https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md
- https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md
- https://github.com/AcademySoftwareFoundation/openexr/pull/730
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.2
- https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00048.html
- https://usn.ubuntu.com/4418-1/
- https://security.gentoo.org/glsa/202107-27
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKDRVXORM2VLNHRLFKS3JHRABSHZ5W5M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SHYAKRAUEMYVCV7U5WLDRE2YFGSV5PIT/
low severity
- Vulnerable module: glibc/libc-bin
- Introduced through: glibc/libc-bin@2.30-0ubuntu2.1, glibc/libc-dev-bin@2.30-0ubuntu2.1 and others
- Fixed in: 2.30-0ubuntu2.2
Detailed paths
-
Introduced through: buildpack-deps@eoan › glibc/libc-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc-dev-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc6@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc6-dev@2.30-0ubuntu2.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc
package and not the glibc
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:19.10
relevant fixed versions and status.
A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
Remediation
Upgrade Ubuntu:19.10
glibc
to version 2.30-0ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752
- https://sourceware.org/bugzilla/show_bug.cgi?id=25414
- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c
- https://security-tracker.debian.org/tracker/CVE-2020-1752
- https://security.gentoo.org/glsa/202101-20
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200511-0005/
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752
- https://usn.ubuntu.com/4416-1/
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c
low severity
- Vulnerable module: glibc/libc-bin
- Introduced through: glibc/libc-bin@2.30-0ubuntu2.1, glibc/libc-dev-bin@2.30-0ubuntu2.1 and others
- Fixed in: 2.30-0ubuntu2.2
Detailed paths
-
Introduced through: buildpack-deps@eoan › glibc/libc-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc-dev-bin@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc6@2.30-0ubuntu2.1
-
Introduced through: buildpack-deps@eoan › glibc/libc6-dev@2.30-0ubuntu2.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc
package and not the glibc
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:19.10
relevant fixed versions and status.
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
Remediation
Upgrade Ubuntu:19.10
glibc
to version 2.30-0ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126
- https://security-tracker.debian.org/tracker/CVE-2019-19126
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/
- https://sourceware.org/bugzilla/show_bug.cgi?id=25204
- https://usn.ubuntu.com/4416-1/
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/