NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22851
• http://www.securityfocus.com/bid/109167
• https://ubuntu.com/security/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream icu package and not the icu package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Remediation

Upgrade Debian:8 icu to version 52.1-8+deb8u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10531
• https://www.debian.org/security/2020/dsa-4646
• https://lists.debian.org/debian-lts-announce/2020/03/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
• https://security.gentoo.org/glsa/202003-15
• https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
• https://github.com/unicode-org/icu/pull/971
• https://bugs.chromium.org/p/chromium/issues/detail?id=1044570
• https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html
• https://chromium.googlesource.com/chromium/deps/icu/+/9f4020916eb1f28f3666f018fdcbe6c9a37f0e08
• https://unicode-org.atlassian.net/browse/ICU-20958
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://access.redhat.com/errata/RHSA-2020:0738
• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00004.html
• https://usn.ubuntu.com/4305-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10531
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

Remediation

Upgrade Debian:8 zlib to version 1:1.2.8.dfsg-2+deb8u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2016-9842
• https://support.apple.com/HT208112
• https://support.apple.com/HT208113
• https://support.apple.com/HT208115
• https://support.apple.com/HT208144
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842
• https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
• https://security.gentoo.org/glsa/202007-54
• https://security.gentoo.org/glsa/201701-56
• https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958
• https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
• https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html
• http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.openwall.com/lists/oss-security/2016/12/05/21
• https://bugzilla.redhat.com/show_bug.cgi?id=1402348
• https://access.redhat.com/errata/RHSA-2017:1220
• https://access.redhat.com/errata/RHSA-2017:1221
• https://access.redhat.com/errata/RHSA-2017:1222
• https://access.redhat.com/errata/RHSA-2017:2999
• https://access.redhat.com/errata/RHSA-2017:3046
• https://access.redhat.com/errata/RHSA-2017:3047
• https://access.redhat.com/errata/RHSA-2017:3453
• http://www.securityfocus.com/bid/95131
• http://www.securitytracker.com/id/1039427
• https://usn.ubuntu.com/4246-1/
• https://usn.ubuntu.com/4292-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9842

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Remediation

Upgrade Debian:8 zlib to version 1:1.2.8.dfsg-2+deb8u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2016-9840
• https://support.apple.com/HT208112
• https://support.apple.com/HT208113
• https://support.apple.com/HT208115
• https://support.apple.com/HT208144
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
• https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
• https://security.gentoo.org/glsa/202007-54
• https://security.gentoo.org/glsa/201701-56
• https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
• https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
• https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html
• http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.openwall.com/lists/oss-security/2016/12/05/21
• https://bugzilla.redhat.com/show_bug.cgi?id=1402345
• https://access.redhat.com/errata/RHSA-2017:1220
• https://access.redhat.com/errata/RHSA-2017:1221
• https://access.redhat.com/errata/RHSA-2017:1222
• https://access.redhat.com/errata/RHSA-2017:2999
• https://access.redhat.com/errata/RHSA-2017:3046
• https://access.redhat.com/errata/RHSA-2017:3047
• https://access.redhat.com/errata/RHSA-2017:3453
• http://www.securityfocus.com/bid/95131
• http://www.securitytracker.com/id/1039427
• https://usn.ubuntu.com/4246-1/
• https://usn.ubuntu.com/4292-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9840

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the SignTraits::DeriveBits() function, which incorrectly invokes ThrowException() based on user inputs when executing in a background thread. This allows an attacker to trigger a runtime crash.

Note: The cryptographic operations involved are commonly applied to untrusted input.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 20.19.2, 22.15.1, 23.11.1, 24.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• HackerOne Report
• Node.js Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception due to the unhandled TLSSocket error ECONNRESET. An attacker can cause application crash by passing malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data.

Note:

This issue primary affects applications without explicit error handlers to secure sockets.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Remediation

There is no fixed version for Debian:8 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10878
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
• https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10878
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Privilege Escalation under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH variable hijacking and DLL hijacking.

Remediation

Upgrade node to version 16.4.1, 14.17.2, 12.22.2 or higher.

References

• GitHub Commit
• GitHub Release
• GitHub Release
• GitHub Release
• HackerOne Report
• Node.js Security Releases

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Directory Traversal in the path.join function. An attacker can bypass the path traversal protection and access restricted files by crafting specific path inputs that leverage Windows reserved driver names such as CON, PRN, and AUX.

Note: This issue only affects Windows systems and is a result of an incomplete fix for CVE-2025-23084

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade node to version 20.19.4, 22.17.1, 24.4.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Security Advisory
• Exploit DB

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Out-of-bounds Read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Remediation

Upgrade node to version 16.4.1, 14.17.2, 12.22.2 or higher.

References

• GitHub Commit
• GitHub Release
• GitHub Release
• GitHub Release
• HackerOne Report
• Node.js Security Releases

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Prototype Pollution via console.table properties. Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. Note: This vulnerability only allows an empty string to be assigned numerical keys of the object prototype.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade node to version 12.22.9, 14.18.3, 16.13.2, 17.3.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior due to a flaw in error handling when async_hooks (or AsyncLocalStorage) is enabled. Normally, a "Maximum call stack size exceeded" error (stack overflow) is catchable by try-catch blocks or uncaughtException handlers. However, if this error occurs while an async_hooks callback is on the stack (which happens frequently in frameworks like Next.js or when using APM tools), Node.js treats it as a fatal error. Remote attackers can trigger this crash by sending payloads that cause deep recursion (e.g., deeply nested JSON objects), leading to a Denial of Service.

Notes:

1. Node.js 24.x and 25.x are less affected if using only AsyncLocalStorage, as they use a newer V8 feature that avoids this hook mechanism;

2. The patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, best‑effort behavior and is not a reliable basis for availability or security.

PoC

import { createHook } from 'node:async_hooks';

// This simulates what APM tools do
createHook({ init() {} }).enable();

function recursive() {
  new Promise(() => {}); // Creates async context
  return recursive();
}

try {
  recursive();
} catch (err) {
  console.log('This never runs', err);
}

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• Blog Post
• GitHub Commit
• Node.js Security Releases

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the TLS module when a TLS server is configured with pskCallback or ALPNCallback. A remote attacker can crash or exhaust resources of a TLS server by sending input that causes the callback to throw an error.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• Node.js Security Releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

Remediation

There is no fixed version for Debian:8 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10543
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10543
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-4.8 package and not the gcc-4.8 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

Remediation

There is no fixed version for Debian:8 gcc-4.8.

References

• https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markup
• https://security-tracker.debian.org/tracker/CVE-2018-12886
• https://www.gnu.org/software/gcc/gcc-8/changes.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-4.9 package and not the gcc-4.9 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

Remediation

There is no fixed version for Debian:8 gcc-4.9.

References

• https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markup
• https://security-tracker.debian.org/tracker/CVE-2018-12886
• https://www.gnu.org/software/gcc/gcc-8/changes.html

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Code Injection due to the incorrect handling of environment variables on Linux when the process is running with elevated privileges that the current user lacks (does not apply to CAP_NET_BIND_SERVICE).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.

Remediation

Upgrade Debian:8 wget to version 1.16-1+deb8u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2016-7098
• https://www.exploit-db.com/exploits/40824/
• http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00083.html
• http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00134.html
• https://lists.debian.org/debian-lts-announce/2020/01/msg00031.html
• http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00007.html
• http://www.openwall.com/lists/oss-security/2016/08/27/2
• http://www.securityfocus.com/bid/93157
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7098
• https://www.exploit-db.com/exploits/40824

NVD Description

Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Remediation

There is no fixed version for Debian:8 bash.

References

• https://security-tracker.debian.org/tracker/CVE-2019-18276
• https://security.netapp.com/advisory/ntap-20200430-0003/
• https://security.gentoo.org/glsa/202105-34
• https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff
• http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html
• https://www.youtube.com/watch?v=-wGtxJ8opa8
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.exploit-db.com/exploits/47726

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

Remediation

There is no fixed version for Debian:8 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-8177
• https://security-tracker.debian.org/tracker/CVE-2020-8177
• https://www.debian.org/security/2021/dsa-4881
• https://curl.se/docs/CVE-2020-8177.html
• https://hackerone.com/reports/887462
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-6488
• https://security.gentoo.org/glsa/202006-04
• https://sourceware.org/bugzilla/show_bug.cgi?id=24097
• http://www.securityfocus.com/bid/106671

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2017-1000408
• https://www.exploit-db.com/exploits/43331/
• https://security.netapp.com/advisory/ntap-20190404-0003/
• http://seclists.org/oss-sec/2017/q4/385
• http://www.openwall.com/lists/oss-security/2019/06/27/7
• http://www.openwall.com/lists/oss-security/2019/06/28/1
• http://www.openwall.com/lists/oss-security/2019/06/28/2
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000408

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-1000001
• https://www.exploit-db.com/exploits/43775/
• https://www.exploit-db.com/exploits/44889/
• https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
• https://security.netapp.com/advisory/ntap-20190404-0003/
• http://seclists.org/oss-sec/2018/q1/38
• https://access.redhat.com/errata/RHSA-2018:0805
• http://www.securityfocus.com/bid/102525
• http://www.securitytracker.com/id/1040162
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001
• https://usn.ubuntu.com/3534-1/
• https://usn.ubuntu.com/3536-1/
• https://www.exploit-db.com/exploits/44889
• https://github.com/0x00-0x00/CVE-2018-1000001

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-11237
• https://www.exploit-db.com/exploits/44750/
• https://sourceware.org/bugzilla/show_bug.cgi?id=23196
• https://security.netapp.com/advisory/ntap-20190329-0001/
• https://security.netapp.com/advisory/ntap-20190401-0001/
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://access.redhat.com/errata/RHBA-2019:0327
• https://access.redhat.com/errata/RHSA-2018:3092
• http://www.securityfocus.com/bid/104256
• https://usn.ubuntu.com/4416-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11237

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2017-16997
• https://sourceware.org/bugzilla/show_bug.cgi?id=22625
• https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html
• https://bugs.debian.org/884615
• https://access.redhat.com/errata/RHBA-2019:0327
• https://access.redhat.com/errata/RHSA-2018:3092
• http://www.securityfocus.com/bid/102228
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16997

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-7245
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7245
• https://security.gentoo.org/glsa/201710-25
• https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
• https://access.redhat.com/errata/RHSA-2018:2486
• http://www.securityfocus.com/bid/97067
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7245

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-7246
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7246
• https://security.gentoo.org/glsa/201710-25
• https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
• https://access.redhat.com/errata/RHSA-2018:2486
• http://www.securityfocus.com/bid/97067
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7246

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).

Remediation

There is no fixed version for Debian:8 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2019-19882
• https://security.gentoo.org/glsa/202008-09
• https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75
• https://github.com/shadow-maint/shadow/pull/199
• https://github.com/void-linux/void-packages/pull/17580
• https://bugs.archlinux.org/task/64836
• https://bugs.gentoo.org/702252

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.

Remediation

There is no fixed version for Debian:8 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6954
• https://github.com/systemd/systemd/issues/7986
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6954
• https://usn.ubuntu.com/3816-1/
• https://usn.ubuntu.com/3816-2/
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Debian:8 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2016-2779
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
• http://www.openwall.com/lists/oss-security/2016/02/27/1
• http://www.openwall.com/lists/oss-security/2016/02/27/2
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2779

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the fs.symlink() function. An attacker can escape the allowed path and read/write sensitive files by chaining directories and symlinks, bypassing --allow-fs-read and --allow-fs-write restrictions.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

Remediation

There is no fixed version for Debian:8 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2016-8625
• https://curl.haxx.se/CVE-2016-8625.patch
• https://curl.haxx.se/docs/adv_20161102K.html
• https://www.tenable.com/security/tns-2016-21
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625
• https://security.gentoo.org/glsa/201701-47
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625
• https://access.redhat.com/errata/RHSA-2018:2486
• https://access.redhat.com/errata/RHSA-2018:3558
• http://www.securityfocus.com/bid/94107
• http://www.securitytracker.com/id/1037192
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8625
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2009-5155
• https://support.f5.com/csp/article/K64119434
• https://support.f5.com/csp/article/K64119434?utm_source=f5support&utm_medium=RSS
• http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238
• https://sourceware.org/bugzilla/show_bug.cgi?id=11053
• https://sourceware.org/bugzilla/show_bug.cgi?id=18986
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672
• https://support.f5.com/csp/article/K64119434?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2015-5180
• https://security.gentoo.org/glsa/201706-19
• https://sourceware.org/bugzilla/attachment.cgi?id=8492
• https://sourceware.org/bugzilla/show_bug.cgi?id=18784
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc82b0a2dfe7dbd35671c10510a8da1043d746a5
• https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1249603
• https://access.redhat.com/errata/RHSA-2018:0805
• http://www.securityfocus.com/bid/99324
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-5180
• http://www.ubuntu.com/usn/USN-3239-1
• http://www.ubuntu.com/usn/USN-3239-2
• https://access.redhat.com/security/cve/CVE-2015-5180
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=fc82b0a2dfe7dbd35671c10510a8da1043d746a5

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=24269
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
• https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://www.securityfocus.com/bid/107160
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg package and not the gnupg package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:8 gnupg.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6829
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
• https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
• https://www.oracle.com/security-alerts/cpujan2020.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg package and not the gnupg package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

Remediation

There is no fixed version for Debian:8 gnupg.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855
• https://security-tracker.debian.org/tracker/CVE-2019-14855
• https://dev.gnupg.org/T4755
• https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html
• https://rwc.iacr.org/2020/slides/Leurent.pdf
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855
• https://usn.ubuntu.com/4516-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14855

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Debian:8 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2018-5709
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709
• https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:8 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6829
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
• https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
• https://www.oracle.com/security-alerts/cpujan2020.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.

Remediation

Upgrade Debian:8 libtasn1-6 to version 4.2-3+deb8u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2017-10790
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790
• https://www.debian.org/security/2018/dsa-4106
• https://security.gentoo.org/glsa/201710-11
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/06/msg00026.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1464141
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10790
• https://usn.ubuntu.com/3547-1/
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which allows an attacker to cause denial of service via CPU and network bandwidth exhaustion.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a race condition in Http2Session when nghttp2 data is left in memory after a connection is reset while processing HTTP/2 CONTINUATION frames. An attacker can cause denial of service by sending such frames then triggering the Http2Session destructor.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

• CERT/CC Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Release Notes
• RedHat Bugzilla Bug
• Vulnerability Report

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Two copies of a header field are allowed in a HTTP request, which causes Node.js to identifiy the first header and ignore the second.

Remediation

Upgrade node to version 10.23.1, 12.20.1, 14.15.4, 15.5.1 or higher.

References

• GitHub Commit
• HTTP Request Smuggling Demystified - Snyk Blog
• NodeJS Security Release Notes
• progfay's PoC
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Key Management Errors. During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

Remediation

Upgrade node to version 10.9.0 or higher.

References

• GitHub Commit
• GitHub PR
• Node.js Advisory
• Openssl.org

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

Remediation

There is no fixed version for Debian:8 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2015-3276
• http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1238322
• http://rhn.redhat.com/errata/RHSA-2015-2131.html
• http://www.securitytracker.com/id/1034221
• https://access.redhat.com/errata/RHSA-2015:2131
• https://access.redhat.com/security/cve/CVE-2015-3276

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

Remediation

There is no fixed version for Debian:8 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-17740
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
• http://www.openldap.org/its/index.cgi/Incoming?id=8759
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

Remediation

Upgrade Debian:8 openldap to version 2.4.40+dfsg-1+deb8u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-12243
• https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGES
• https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440
• https://support.apple.com/kb/HT211289
• https://www.debian.org/security/2020/dsa-4666
• https://lists.debian.org/debian-lts-announce/2020/05/msg00001.html
• https://bugs.openldap.org/show_bug.cgi?id=9202
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://security.netapp.com/advisory/ntap-20200511-0003/
• http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00016.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-12243
• https://usn.ubuntu.com/4352-1/
• https://usn.ubuntu.com/4352-2/
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-7186
• https://bugs.exim.org/show_bug.cgi?id=2052
• https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?r1=600&r2=670&sortby=date
• https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?r1=316&r2=670&sortby=date
• https://vcs.pcre.org/pcre/code/trunk/pcre_internal.h?r1=1649&r2=1688&sortby=date
• https://vcs.pcre.org/pcre/code/trunk/pcre_ucd.c?r1=1490&r2=1688&sortby=date
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7186
• https://security.gentoo.org/glsa/201710-09
• https://security.gentoo.org/glsa/201710-25
• https://blogs.gentoo.org/ago/2017/03/14/libpcre-invalid-memory-read-in-match-pcre_exec-c/
• https://access.redhat.com/errata/RHSA-2018:2486
• http://www.securityfocus.com/bid/97030
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7186

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\.|([^\\W_])?)+)+$/.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2015-3217
• https://bugs.exim.org/show_bug.cgi?id=1638
• http://vcs.pcre.org/pcre?view=revision&revision=1566
• http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
• http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
• http://www.openwall.com/lists/oss-security/2015/06/03/7
• https://bugzilla.redhat.com/show_bug.cgi?id=1228283
• http://rhn.redhat.com/errata/RHSA-2016-1025.html
• http://rhn.redhat.com/errata/RHSA-2016-2750.html
• https://access.redhat.com/errata/RHSA-2016:1132
• http://www.securityfocus.com/bid/75018

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-20838
• https://security-tracker.debian.org/tracker/CVE-2019-20838
• https://support.apple.com/kb/HT211931
• https://support.apple.com/kb/HT212147
• http://seclists.org/fulldisclosure/2020/Dec/32
• http://seclists.org/fulldisclosure/2021/Feb/14
• https://bugs.gentoo.org/717920
• https://www.pcre.org/original/changelog.txt
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-11164
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://openwall.com/lists/oss-security/2017/07/11/3
• http://www.securityfocus.com/bid/99575
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164
• http://www.openwall.com/lists/oss-security/2023/04/11/1
• http://www.openwall.com/lists/oss-security/2023/04/12/1
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

Remediation

There is no fixed version for Debian:8 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2020-12723
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://github.com/Perl/perl5/issues/16947
• https://github.com/Perl/perl5/issues/17743
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-12723
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

Remediation

There is no fixed version for Debian:8 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9923
• http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
• http://savannah.gnu.org/bugs/?55369
• https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9923
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Certificate Validation. There is insufficient verification of a certificate chain when using the X509_V_FLAG_X509_STRICT flag.

Remediation

Upgrade node to version 15.14.0, 14.16.1, 12.22.1, 10.24.1 or higher.

References

• GitHub Commit
• NodeJS Security Release

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Use After Free on close http2 on stream canceling. An attacker might be able to exploit the memory corruption to change process behaviour.

The issue follows on from CVE-2021-22930 as the fix for it did not completely resolve the vulnerability.

Remediation

Upgrade node to version 16.6.2, 14.17.5, 12.22.5 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• NodeJS Security Release
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to the handling of the hostname_ascii variable in the uv_getaddrinfo function. Attackers can exploit the creation of addresses that bypass developer checks and resolve to unintended IP addresses, to access internal APIs or for websites that allow users to have username.example.com pages, potentially exposing internal services to attacks.

Notes:

1. Depending on the build and runtime environment, it can lead to different exploitation scenarios:

The last byte of the hostname is a random value (0-256) but identical in successive calls, and the subsequent byte is a null byte. This situation can be exploited through brute force, especially in production environments where many Node.js instances run in parallel (pm2, kubernetes, etc).

Since the last byte is random, there are cases where it's one of 0-9a-f, which makes 16 possible cases (out of 256) useful for calling localhost (127.0.0.x) and potentially bypassing security measures on internal APIs. The same is true for calling other IP-ranges.

2. When deployed in an environment with multiple pods (e.g., Kubernetes), is vulnerable to the attack described above, potentially allowing unauthorized access to internal APIs.

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the improper handling of batch files in child_process.spawn or child_process.spawnSync. An attacker can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Note: This vulnerability only affects Windows machines.

Remediation

Upgrade node to version 18.20.2, 20.12.2, 21.7.3 or higher.

References

• GitHub Commit
• Node.js

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2017-1000409
• https://www.exploit-db.com/exploits/43331/
• https://security.netapp.com/advisory/ntap-20190404-0003/
• http://seclists.org/oss-sec/2017/q4/385
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000409
• https://www.exploit-db.com/exploits/43331

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Debian:8 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
• https://security-tracker.debian.org/tracker/CVE-2020-1751
• https://security.gentoo.org/glsa/202006-04
• https://sourceware.org/bugzilla/show_bug.cgi?id=25423
• https://security.netapp.com/advisory/ntap-20200430-0002/
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751
• https://usn.ubuntu.com/4416-1/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2020-1752
• https://sourceware.org/bugzilla/show_bug.cgi?id=25414
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c
• https://security.gentoo.org/glsa/202101-20
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://security.netapp.com/advisory/ntap-20200511-0005/
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752
• https://usn.ubuntu.com/4416-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c