Vulnerabilities |
24 via 30 paths |
|---|---|
Dependencies |
30 |
Source |
Docker |
Target OS |
alpine:3.7.1 |
critical severity
- Vulnerable module: bzip2/libbz2
- Introduced through: bzip2/libbz2@1.0.6-r6
- Fixed in: 1.0.6-r7
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › bzip2/libbz2@1.0.6-r6
NVD Description
Note: Versions mentioned in the description apply only to the upstream bzip2 package and not the bzip2 package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Remediation
Upgrade Alpine:3.7 bzip2 to version 1.0.6-r7 or higher.
References
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&utm_medium=RSS
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://security-tracker.debian.org/tracker/CVE-2019-12900
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4@%3Cuser.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html
- https://usn.ubuntu.com/4146-1/
- https://usn.ubuntu.com/4146-2/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12900
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
critical severity
- Vulnerable module: gd/libgd
- Introduced through: gd/libgd@2.2.5-r0
- Fixed in: 2.2.5-r2
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › gd/libgd@2.2.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream gd package and not the gd package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected.
Remediation
Upgrade Alpine:3.7 gd to version 2.2.5-r2 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
- https://www.debian.org/security/2019/dsa-4384
- https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
- https://security-tracker.debian.org/tracker/CVE-2019-6978
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WRUPZVT2MWFUEMVGTRAGDOBHLNMGK5R/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEYUUOW75YD3DENIPYMO263E6NL2NFHI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTXSLRZI5BCQT3H5KALG3DHUWUMNPDX2/
- https://security.gentoo.org/glsa/201903-18
- https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0
- https://github.com/php/php-src/commit/089f7c0bc28d399b0420aa6ef058e4c1c120b2ae
- https://github.com/libgd/libgd/issues/492
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00031.html
- https://access.redhat.com/errata/RHSA-2019:2722
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-6978
- https://usn.ubuntu.com/3900-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WRUPZVT2MWFUEMVGTRAGDOBHLNMGK5R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEYUUOW75YD3DENIPYMO263E6NL2NFHI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTXSLRZI5BCQT3H5KALG3DHUWUMNPDX2/
critical severity
- Vulnerable module: libxslt/libxslt
- Introduced through: libxslt/libxslt@1.1.31-r0
- Fixed in: 1.1.31-r1
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libxslt/libxslt@1.1.31-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
Remediation
Upgrade Alpine:3.7 libxslt to version 1.1.31-r1 or higher.
References
- https://security.netapp.com/advisory/ntap-20191017-0001/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068
- https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
- https://security-tracker.debian.org/tracker/CVE-2019-11068
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
- https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
- http://www.openwall.com/lists/oss-security/2019/04/22/1
- http://www.openwall.com/lists/oss-security/2019/04/23/5
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-11068
- https://usn.ubuntu.com/3947-1/
- https://usn.ubuntu.com/3947-2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
critical severity
- Vulnerable module: musl/musl
- Introduced through: musl/musl@1.1.18-r3 and musl/musl-utils@1.1.18-r3
- Fixed in: 1.1.18-r4
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › musl/musl@1.1.18-r3
-
Introduced through: nginx@1.14.0-alpine › musl/musl-utils@1.1.18-r3
NVD Description
Note: Versions mentioned in the description apply only to the upstream musl package and not the musl package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.
Remediation
Upgrade Alpine:3.7 musl to version 1.1.18-r4 or higher.
References
high severity
- Vulnerable module: gd/libgd
- Introduced through: gd/libgd@2.2.5-r0
- Fixed in: 2.2.5-r1
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › gd/libgd@2.2.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream gd package and not the gd package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.
Remediation
Upgrade Alpine:3.7 gd to version 2.2.5-r1 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
- https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
- https://security-tracker.debian.org/tracker/CVE-2018-1000222
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://security.gentoo.org/glsa/201903-18
- https://github.com/libgd/libgd/issues/447
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000222
- https://usn.ubuntu.com/3755-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
high severity
- Vulnerable module: gd/libgd
- Introduced through: gd/libgd@2.2.5-r0
- Fixed in: 2.2.5-r2
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › gd/libgd@2.2.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream gd package and not the gd package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.
Remediation
Upgrade Alpine:3.7 gd to version 2.2.5-r2 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
- https://www.debian.org/security/2019/dsa-4384
- https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
- https://security-tracker.debian.org/tracker/CVE-2019-6977
- https://www.exploit-db.com/exploits/46677/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WRUPZVT2MWFUEMVGTRAGDOBHLNMGK5R/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEYUUOW75YD3DENIPYMO263E6NL2NFHI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTXSLRZI5BCQT3H5KALG3DHUWUMNPDX2/
- https://security.gentoo.org/glsa/201903-18
- http://packetstormsecurity.com/files/152459/PHP-7.2-imagecolormatch-Out-Of-Band-Heap-Write.html
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- https://bugs.php.net/bug.php?id=77270
- https://security.netapp.com/advisory/ntap-20190315-0003/
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00031.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- http://www.securityfocus.com/bid/106731
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-6977
- https://usn.ubuntu.com/3900-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WRUPZVT2MWFUEMVGTRAGDOBHLNMGK5R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEYUUOW75YD3DENIPYMO263E6NL2NFHI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTXSLRZI5BCQT3H5KALG3DHUWUMNPDX2/
- https://www.exploit-db.com/exploits/46677
high severity
- Vulnerable module: libpng/libpng
- Introduced through: libpng/libpng@1.6.34-r1
- Fixed in: 1.6.37-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libpng/libpng@1.6.34-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.
Remediation
Upgrade Alpine:3.7 libpng to version 1.6.37-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14550
- https://security-tracker.debian.org/tracker/CVE-2018-14550
- https://security.gentoo.org/glsa/201908-02
- https://github.com/fouzhe/security/tree/master/libpng#stack-buffer-overflow-in-png2pnm-in-function-get_token
- https://github.com/glennrp/libpng/issues/246
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20221028-0001/
high severity
- Vulnerable module: libjpeg-turbo/libjpeg-turbo
- Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.2-r0
- Fixed in: 1.5.3-r2
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libjpeg-turbo/libjpeg-turbo@1.5.2-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.
Remediation
Upgrade Alpine:3.7 libjpeg-turbo to version 1.5.3-r2 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813
- https://security-tracker.debian.org/tracker/CVE-2018-11813
- https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9c
- https://bugs.gentoo.org/727908
- https://github.com/ChijinZ/security_advisories/blob/master/libjpeg-v9c/mail.pdf
- http://www.ijg.org/files/jpegsrc.v9d.tar.gz
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00015.html
- https://access.redhat.com/errata/RHSA-2019:2052
high severity
- Vulnerable module: libxml2/libxml2
- Introduced through: libxml2/libxml2@2.9.7-r0
- Fixed in: 2.9.8-r1
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libxml2/libxml2@2.9.7-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
Remediation
Upgrade Alpine:3.7 libxml2 to version 2.9.8-r1 or higher.
References
- https://security.netapp.com/advisory/ntap-20190719-0002/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
- https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
- https://security-tracker.debian.org/tracker/CVE-2018-14404
- https://gitlab.gnome.org/GNOME/libxml2/issues/10
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
- https://access.redhat.com/errata/RHSA-2019:1543
- https://bugzilla.redhat.com/show_bug.cgi?id=1595985
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-14404
- https://usn.ubuntu.com/3739-1/
- https://usn.ubuntu.com/3739-2/
high severity
- Vulnerable module: libxslt/libxslt
- Introduced through: libxslt/libxslt@1.1.31-r0
- Fixed in: 1.1.31-r2
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libxslt/libxslt@1.1.31-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
Remediation
Upgrade Alpine:3.7 libxslt to version 1.1.31-r2 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html
- https://security-tracker.debian.org/tracker/CVE-2019-18197
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
- https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20191031-0004/
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
- http://www.openwall.com/lists/oss-security/2019/11/17/2
- https://access.redhat.com/errata/RHSA-2020:0514
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18197
- https://usn.ubuntu.com/4164-1/
medium severity
- Vulnerable module: libjpeg-turbo/libjpeg-turbo
- Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.2-r0
- Fixed in: 1.5.3-r1
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libjpeg-turbo/libjpeg-turbo@1.5.2-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.
Remediation
Upgrade Alpine:3.7 libjpeg-turbo to version 1.5.3-r1 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1152
- https://lists.debian.org/debian-lts-announce/2019/01/msg00015.html
- https://security-tracker.debian.org/tracker/CVE-2018-1152
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
- https://www.tenable.com/security/research/tra-2018-17
- https://lists.debian.org/debian-lts-announce/2020/07/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00015.html
- http://www.securityfocus.com/bid/104543
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1152
- https://usn.ubuntu.com/3706-1/
- https://usn.ubuntu.com/3706-2/
medium severity
- Vulnerable module: libjpeg-turbo/libjpeg-turbo
- Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.2-r0
- Fixed in: 1.5.3-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libjpeg-turbo/libjpeg-turbo@1.5.2-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.
Remediation
Upgrade Alpine:3.7 libjpeg-turbo to version 1.5.3-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15232
- https://security-tracker.debian.org/tracker/CVE-2017-15232
- https://github.com/mozilla/mozjpeg/issues/268
- https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15232
- https://usn.ubuntu.com/3706-1/
medium severity
- Vulnerable module: libjpeg-turbo/libjpeg-turbo
- Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.2-r0
- Fixed in: 1.5.3-r3
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libjpeg-turbo/libjpeg-turbo@1.5.2-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
Remediation
Upgrade Alpine:3.7 libjpeg-turbo to version 1.5.3-r3 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498
- https://lists.debian.org/debian-lts-announce/2019/03/msg00021.html
- https://security-tracker.debian.org/tracker/CVE-2018-14498
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7YP4QUEYGHI4Q7GIAVFVKWQ7DJMBYLU/
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
- https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
- https://github.com/mozilla/mozjpeg/issues/299
- https://lists.debian.org/debian-lts-announce/2020/07/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00015.html
- https://access.redhat.com/errata/RHSA-2019:2052
- https://access.redhat.com/errata/RHSA-2019:3705
- https://usn.ubuntu.com/4190-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-14498
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7YP4QUEYGHI4Q7GIAVFVKWQ7DJMBYLU/
medium severity
- Vulnerable module: libpng/libpng
- Introduced through: libpng/libpng@1.6.34-r1
- Fixed in: 1.6.37-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libpng/libpng@1.6.34-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.
Remediation
Upgrade Alpine:3.7 libpng to version 1.6.37-r0 or higher.
References
- https://seclists.org/bugtraq/2019/Apr/30
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14048
- https://security-tracker.debian.org/tracker/CVE-2018-14048
- https://security.gentoo.org/glsa/201908-02
- https://github.com/fouzhe/security/tree/master/libpng
- https://github.com/glennrp/libpng/issues/238
- http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-14048
medium severity
- Vulnerable module: libxml2/libxml2
- Introduced through: libxml2/libxml2@2.9.7-r0
- Fixed in: 2.9.8-r1
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libxml2/libxml2@2.9.7-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
Remediation
Upgrade Alpine:3.7 libxml2 to version 2.9.8-r1 or higher.
References
- https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567
- https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
- https://security-tracker.debian.org/tracker/CVE-2018-14567
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
- http://www.securityfocus.com/bid/105198
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-14567
- https://usn.ubuntu.com/3739-1/
medium severity
- Vulnerable module: libgcrypt/libgcrypt
- Introduced through: libgcrypt/libgcrypt@1.8.3-r0
- Fixed in: 1.8.3-r1
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libgcrypt/libgcrypt@1.8.3-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libgcrypt package and not the libgcrypt package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack
Remediation
Upgrade Alpine:3.7 libgcrypt to version 1.8.3-r1 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904
- https://security-tracker.debian.org/tracker/CVE-2019-12904
- https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
- https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762
- https://dev.gnupg.org/T4541
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00049.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12904
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
medium severity
- Vulnerable module: openssl/libcrypto1.0
- Introduced through: openssl/libcrypto1.0@1.0.2o-r1 and openssl/libssl1.0@1.0.2o-r1
- Fixed in: 1.0.2r-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › openssl/libcrypto1.0@1.0.2o-r1
-
Introduced through: nginx@1.14.0-alpine › openssl/libssl1.0@1.0.2o-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
Remediation
Upgrade Alpine:3.7 openssl to version 1.0.2r-r0 or higher.
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
- https://kc.mcafee.com/corporate/index?page=content&id=SB10282
- https://support.f5.com/csp/article/K18549143
- https://support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS
- https://www.tenable.com/security/tns-2019-02
- https://www.tenable.com/security/tns-2019-03
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
- https://www.debian.org/security/2019/dsa-4400
- https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html
- https://security-tracker.debian.org/tracker/CVE-2019-1559
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
- https://security.gentoo.org/glsa/201903-10
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://security.netapp.com/advisory/ntap-20190301-0001/
- https://security.netapp.com/advisory/ntap-20190301-0002/
- https://security.netapp.com/advisory/ntap-20190423-0002/
- https://www.openssl.org/news/secadv/20190226.txt
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://access.redhat.com/errata/RHSA-2019:2304
- https://access.redhat.com/errata/RHSA-2019:2437
- https://access.redhat.com/errata/RHSA-2019:2439
- https://access.redhat.com/errata/RHSA-2019:2471
- https://access.redhat.com/errata/RHSA-2019:3929
- https://access.redhat.com/errata/RHSA-2019:3931
- http://www.securityfocus.com/bid/107174
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html
- https://usn.ubuntu.com/4376-2/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1559
- https://usn.ubuntu.com/3899-1/
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
- https://support.f5.com/csp/article/K18549143?utm_source=f5support&%3Butm_medium=RSS
medium severity
- Vulnerable module: openssl/libcrypto1.0
- Introduced through: openssl/libcrypto1.0@1.0.2o-r1 and openssl/libssl1.0@1.0.2o-r1
- Fixed in: 1.0.2q-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › openssl/libcrypto1.0@1.0.2o-r1
-
Introduced through: nginx@1.14.0-alpine › openssl/libssl1.0@1.0.2o-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
Remediation
Upgrade Alpine:3.7 openssl to version 1.0.2q-r0 or higher.
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7
- https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
- https://www.tenable.com/security/tns-2018-16
- https://www.tenable.com/security/tns-2018-17
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734
- https://www.debian.org/security/2018/dsa-4348
- https://www.debian.org/security/2018/dsa-4355
- https://security-tracker.debian.org/tracker/CVE-2018-0734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20181105-0002/
- https://security.netapp.com/advisory/ntap-20190118-0002/
- https://security.netapp.com/advisory/ntap-20190423-0002/
- https://www.openssl.org/news/secadv/20181030.txt
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://access.redhat.com/errata/RHSA-2019:2304
- https://access.redhat.com/errata/RHSA-2019:3700
- https://access.redhat.com/errata/RHSA-2019:3932
- https://access.redhat.com/errata/RHSA-2019:3933
- https://access.redhat.com/errata/RHSA-2019:3935
- http://www.securityfocus.com/bid/105758
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-0734
- https://usn.ubuntu.com/3840-1/
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=43e6a58d4991a451daf4891ff05a48735df871ac
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8abfe72e8c1de1b95f50aa0d9134803b4d00070f
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ef11e19d1365eea2b1851e6f540a0bf365d303e7
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
medium severity
- Vulnerable module: gd/libgd
- Introduced through: gd/libgd@2.2.5-r0
- Fixed in: 2.2.5-r2
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › gd/libgd@2.2.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream gd package and not the gd package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
Remediation
Upgrade Alpine:3.7 gd to version 2.2.5-r2 or higher.
References
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- https://bugs.php.net/bug.php?id=75571
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
- https://lists.debian.org/debian-lts-announce/2018/01/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
- https://security-tracker.debian.org/tracker/CVE-2018-5711
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://security.gentoo.org/glsa/201903-18
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://access.redhat.com/errata/RHSA-2018:1296
- https://access.redhat.com/errata/RHSA-2019:2519
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5711
- https://usn.ubuntu.com/3755-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
medium severity
- Vulnerable module: libpng/libpng
- Introduced through: libpng/libpng@1.6.34-r1
- Fixed in: 1.6.37-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libpng/libpng@1.6.34-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Remediation
Upgrade Alpine:3.7 libpng to version 1.6.37-r0 or higher.
References
- https://seclists.org/bugtraq/2019/Apr/30
- https://seclists.org/bugtraq/2019/Apr/36
- https://seclists.org/bugtraq/2019/May/56
- https://seclists.org/bugtraq/2019/May/59
- https://seclists.org/bugtraq/2019/May/67
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
- https://www.debian.org/security/2019/dsa-4435
- https://www.debian.org/security/2019/dsa-4448
- https://www.debian.org/security/2019/dsa-4451
- https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html
- https://security-tracker.debian.org/tracker/CVE-2019-7317
- https://security.gentoo.org/glsa/201908-02
- https://github.com/glennrp/libpng/issues/275
- http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20190719-0005/
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- https://access.redhat.com/errata/RHSA-2019:1265
- https://access.redhat.com/errata/RHSA-2019:1267
- https://access.redhat.com/errata/RHSA-2019:1269
- https://access.redhat.com/errata/RHSA-2019:1308
- https://access.redhat.com/errata/RHSA-2019:1309
- https://access.redhat.com/errata/RHSA-2019:1310
- http://www.securityfocus.com/bid/108098
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7317
- https://usn.ubuntu.com/3962-1/
- https://usn.ubuntu.com/3991-1/
- https://usn.ubuntu.com/3997-1/
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
medium severity
- Vulnerable module: libxml2/libxml2
- Introduced through: libxml2/libxml2@2.9.7-r0
- Fixed in: 2.9.8-r1
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › libxml2/libxml2@2.9.7-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.
Remediation
Upgrade Alpine:3.7 libxml2 to version 2.9.8-r1 or higher.
References
medium severity
- Vulnerable module: openssl/libcrypto1.0
- Introduced through: openssl/libcrypto1.0@1.0.2o-r1 and openssl/libssl1.0@1.0.2o-r1
- Fixed in: 1.0.2t-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › openssl/libcrypto1.0@1.0.2o-r1
-
Introduced through: nginx@1.14.0-alpine › openssl/libssl1.0@1.0.2o-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Remediation
Upgrade Alpine:3.7 openssl to version 1.0.2t-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
- https://seclists.org/bugtraq/2019/Oct/0
- https://seclists.org/bugtraq/2019/Oct/1
- https://seclists.org/bugtraq/2019/Sep/25
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
- https://security.netapp.com/advisory/ntap-20200122-0002/
- https://security.netapp.com/advisory/ntap-20200416-0003/
- https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS
- https://www.tenable.com/security/tns-2019-08
- https://www.tenable.com/security/tns-2019-09
- https://www.debian.org/security/2019/dsa-4539
- https://www.debian.org/security/2019/dsa-4540
- https://security-tracker.debian.org/tracker/CVE-2019-1547
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://security.gentoo.org/glsa/201911-04
- http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
- https://arxiv.org/abs/1909.01785
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190919-0002/
- https://www.openssl.org/news/secadv/20190910.txt
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
- https://usn.ubuntu.com/4376-1/
- https://usn.ubuntu.com/4376-2/
- https://usn.ubuntu.com/4504-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS
medium severity
- Vulnerable module: openssl/libcrypto1.0
- Introduced through: openssl/libcrypto1.0@1.0.2o-r1 and openssl/libssl1.0@1.0.2o-r1
- Fixed in: 1.0.2q-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › openssl/libcrypto1.0@1.0.2o-r1
-
Introduced through: nginx@1.14.0-alpine › openssl/libssl1.0@1.0.2o-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
Remediation
Upgrade Alpine:3.7 openssl to version 1.0.2q-r0 or higher.
References
- https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
- https://support.f5.com/csp/article/K49711130?utm_source=f5support&utm_medium=RSS
- https://www.tenable.com/security/tns-2018-16
- https://www.tenable.com/security/tns-2018-17
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407
- https://www.debian.org/security/2018/dsa-4348
- https://www.debian.org/security/2018/dsa-4355
- https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html
- https://security-tracker.debian.org/tracker/CVE-2018-5407
- https://www.exploit-db.com/exploits/45785/
- https://security.gentoo.org/glsa/201903-10
- https://eprint.iacr.org/2018/1060.pdf
- https://github.com/bbbrumley/portsmash
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20181126-0001/
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2125
- https://access.redhat.com/errata/RHSA-2019:3929
- https://access.redhat.com/errata/RHSA-2019:3931
- https://access.redhat.com/errata/RHSA-2019:3932
- https://access.redhat.com/errata/RHSA-2019:3933
- https://access.redhat.com/errata/RHSA-2019:3935
- https://access.redhat.com/errata/RHSA-2019:0483
- https://access.redhat.com/errata/RHSA-2019:0651
- https://access.redhat.com/errata/RHSA-2019:0652
- http://www.securityfocus.com/bid/105897
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5407
- https://usn.ubuntu.com/3840-1/
- https://support.f5.com/csp/article/K49711130?utm_source=f5support&%3Butm_medium=RSS
- https://www.exploit-db.com/exploits/45785
low severity
- Vulnerable module: openssl/libcrypto1.0
- Introduced through: openssl/libcrypto1.0@1.0.2o-r1 and openssl/libssl1.0@1.0.2o-r1
- Fixed in: 1.0.2t-r0
Detailed paths
-
Introduced through: nginx@1.14.0-alpine › openssl/libcrypto1.0@1.0.2o-r1
-
Introduced through: nginx@1.14.0-alpine › openssl/libssl1.0@1.0.2o-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine.
See How to fix? for Alpine:3.7 relevant fixed versions and status.
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Remediation
Upgrade Alpine:3.7 openssl to version 1.0.2t-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
- https://seclists.org/bugtraq/2019/Oct/0
- https://seclists.org/bugtraq/2019/Oct/1
- https://seclists.org/bugtraq/2019/Sep/25
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
- https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS
- https://www.tenable.com/security/tns-2019-09
- https://www.debian.org/security/2019/dsa-4539
- https://www.debian.org/security/2019/dsa-4540
- https://security-tracker.debian.org/tracker/CVE-2019-1563
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://security.gentoo.org/glsa/201911-04
- http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190919-0002/
- https://www.openssl.org/news/secadv/20190910.txt
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
- https://usn.ubuntu.com/4376-1/
- https://usn.ubuntu.com/4376-2/
- https://usn.ubuntu.com/4504-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS