Docker buildpack-deps:eoan-curl

Vulnerabilities

5 via 10 paths

Dependencies

137

Source

Group 6 Copy Created with Sketch. Docker

Target OS

ubuntu:19.10
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 3
  • 2
Status
  • 5
  • 0
  • 0

medium severity

Arbitrary Code Injection

  • Vulnerable module: curl
  • Introduced through: curl@7.65.3-1ubuntu3 and curl/libcurl4@7.65.3-1ubuntu3
  • Fixed in: 7.65.3-1ubuntu3.1

Detailed paths

  • Introduced through: buildpack-deps:eoan-curl@* curl@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps:eoan-curl@* curl/libcurl4@7.65.3-1ubuntu3

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Ubuntu:19.10 relevant versions.

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

Remediation

Upgrade Ubuntu:19.10 curl to version 7.65.3-1ubuntu3.1 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: curl
  • Introduced through: curl@7.65.3-1ubuntu3 and curl/libcurl4@7.65.3-1ubuntu3
  • Fixed in: 7.65.3-1ubuntu3.1

Detailed paths

  • Introduced through: buildpack-deps:eoan-curl@* curl@7.65.3-1ubuntu3
  • Introduced through: buildpack-deps:eoan-curl@* curl/libcurl4@7.65.3-1ubuntu3

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Ubuntu:19.10 relevant versions.

curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).

Remediation

Upgrade Ubuntu:19.10 curl to version 7.65.3-1ubuntu3.1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.30-0ubuntu2.1 and glibc/libc6@2.30-0ubuntu2.1
  • Fixed in: 2.30-0ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps:eoan-curl@* glibc/libc-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps:eoan-curl@* glibc/libc6@2.30-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Ubuntu:19.10 relevant versions.

An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.

References

low severity

Information Exposure

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.30-0ubuntu2.1 and glibc/libc6@2.30-0ubuntu2.1
  • Fixed in: 2.30-0ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps:eoan-curl@* glibc/libc-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps:eoan-curl@* glibc/libc6@2.30-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Ubuntu:19.10 relevant versions.

On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.

Remediation

Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.

References

low severity

Use After Free

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.30-0ubuntu2.1 and glibc/libc6@2.30-0ubuntu2.1
  • Fixed in: 2.30-0ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps:eoan-curl@* glibc/libc-bin@2.30-0ubuntu2.1
  • Introduced through: buildpack-deps:eoan-curl@* glibc/libc6@2.30-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Ubuntu:19.10 relevant versions.

A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

Remediation

Upgrade Ubuntu:19.10 glibc to version 2.30-0ubuntu2.2 or higher.

References