Skip to content

Instantly share code, notes, and snippets.

@garethr

garethr/0_feedback.md Secret

Last active October 13, 2020 11:20
Show Gist options
  • Save garethr/7dcc9d6ef4e7cc497e018dc279c00123 to your computer and use it in GitHub Desktop.
Save garethr/7dcc9d6ef4e7cc497e018dc279c00123 to your computer and use it in GitHub Desktop.
Download ZIP
Snyk CLI to CycloneDX, and thoughts about the spec
Raw
0_feedback.md

Thoughts based on the following mapping:

  1. No fields are required
  2. The score is always base/impact/exploitability, and always 0-10, so only compatible with CVSS
  3. A vulnerability refers to a BOM ref, which means if multiple components have the same vulnerability then it needs to be inlcuded multiple times
  4. No provision for multiple identifiers
  5. Although method on ratings can be set to "Other", their is no way of specifying what method/source the information is coming from
  6. Are advisories intended to always be URLs, or can they be arbitrary strings? The schema says the latter, although all the examples are the former. This would impact someone writing a parser.
  7. In the case of multiple ratings with the same method, but different scores/vectors, what are the hueristics? Is this valid?
  8. Additional properties are allowed as per the JSON Schema. Is this purposeful? What is the expected parser behaviour for attributes outside the schema? Should there be a formal extension mechanism?
  9. The description is a string. Are there are rules here, ie. SARIF has plain text and markdown properties explitily, rather than leaving up to the producer
  10. No provision for multiple vulnerability identifiers, ie. CVE-2009-5155 is also SNYK-DEBIAN9-GLIBC-338103

ie. Should advisories be defined as:

{
    "type": "string",
    "format": "uri",
    "pattern": "^(https?|http?)://"
}
Raw
1_individual.json
{
"title":"Cryptographic Issues",
"credit":[
""
],
"packageName":"openssl",
"language":"linux",
"packageManager":"debian:9",
"description":"## Overview\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.osvdb.org/62808](http://www.osvdb.org/62808)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n",
"identifiers":{
"ALTERNATIVE":[
],
"CVE":[
"CVE-2010-0928"
],
"CWE":[
"CWE-310"
]
},
"severity":"low",
"severityWithCritical":"low",
"cvssScore":5.1,
"CVSSv3":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"patches":[
],
"references":[
{
"title":"Debian Security Tracker",
"url":"https://security-tracker.debian.org/tracker/CVE-2010-0928"
},
{
"title":"http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/",
"url":"http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/"
},
{
"title":"http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf",
"url":"http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf"
},
{
"title":"http://www.networkworld.com/news/2010/030410-rsa-security-attack.html",
"url":"http://www.networkworld.com/news/2010/030410-rsa-security-attack.html"
},
{
"title":"http://www.osvdb.org/62808",
"url":"http://www.osvdb.org/62808"
},
{
"title":"http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/",
"url":"http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/"
},
{
"title":"http://xforce.iss.net/xforce/xfdb/56750",
"url":"http://xforce.iss.net/xforce/xfdb/56750"
},
{
"title":"X-force Vulnerability Report",
"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"
}
],
"creationTime":"2020-08-19T09:30:53.396991Z",
"modificationTime":"2020-08-19T13:28:20.872020Z",
"publicationTime":"2010-03-05T19:30:00Z",
"disclosureTime":"2010-03-05T19:30:00Z",
"id":"SNYK-DEBIAN9-OPENSSL-374995",
"nvdSeverity":"medium",
"relativeImportance":"unimportant",
"semver":{
"vulnerable":[
"*"
]
},
"exploit":"Not Defined",
"from":[
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"openssl/libssl1.1@1.1.0l-1~deb9u1"
],
"upgradePath":[
],
"isUpgradable":false,
"isPatchable":false,
"name":"openssl/libssl1.1",
"version":"1.1.0l-1~deb9u1"
},
Raw
2_cyclonedx.json
"vulnerabilities": [
{
"ref": bom-ref
"id": "CVE-2010-0928",
"source": {
"name": "Snyk Intel",
"url": "https://snyk.io/vuln/SNYK-DEBIAN9-OPENSSL-374995"
},
"ratings": [
{
"score": {
"base": 9.8,
"impact": 5.9,
"exploitability": 3.0
},
"severity": "Medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"severity": "None",
"method": "Other" # This is the Debian rating
},
{
"severity": "Low",
"method": "Other" # This is the Snyk rating
}
],
"cwes": [
310
],
"description":"## Overview\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.osvdb.org/62808](http://www.osvdb.org/62808)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n",
"recommendatations": [
],
"advisories": [
"https://security-tracker.debian.org/tracker/CVE-2010-0928",
"http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/",
"http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf",
"http://www.networkworld.com/news/2010/030410-rsa-security-attack.html",
"http://www.osvdb.org/62808",
"http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/",
"http://xforce.iss.net/xforce/xfdb/56750",
"https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"
]
}
]
Raw
3_cli.json
{
"vulnerabilities": [
{
"title": "Uncontrolled Recursion",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\n** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9192)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24269)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-9192"
],
"CWE": [
"CWE-674"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-9192"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192"
}
],
"creationTime": "2020-08-19T09:34:51.311272Z",
"modificationTime": "2020-08-19T13:34:23.609181Z",
"publicationTime": "2019-02-26T18:29:00Z",
"disclosureTime": "2019-02-26T18:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338103",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K64119434)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2009-5155)\n- [MISC](http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=11053)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=18986)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2009-5155"
],
"CWE": [
"CWE-19"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K64119434"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2009-5155"
},
{
"title": "MISC",
"url": "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=11053"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18986"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155"
}
],
"creationTime": "2020-08-19T09:34:51.439546Z",
"modificationTime": "2020-08-19T13:31:00.372152Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338160",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Read",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.\n\n## References\n- [CONFIRM](https://kc.mcafee.com/corporate/index?page=content&id=SB10278)\n- [CONFIRM](https://support.f5.com/csp/article/K54823184)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9169)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24114)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=583dd860d5b833037175247230a328f0050dbfe9)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9169)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-9169"
],
"CWE": [
"CWE-125"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10278"
},
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K54823184"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-9169"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24114"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=583dd860d5b833037175247230a328f0050dbfe9"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/107160"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9169"
}
],
"creationTime": "2020-08-19T09:34:51.379318Z",
"modificationTime": "2020-08-19T13:36:47.683247Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338164",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-20796)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141)\n- [MISC](https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-20796"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-20796"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141"
},
{
"title": "MISC",
"url": "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/107160"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796"
}
],
"creationTime": "2020-08-19T09:34:51.479989Z",
"modificationTime": "2020-08-19T13:37:12.397231Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338175",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-7309)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24155)\n- [MISC](https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html)\n- [Security Focus](http://www.securityfocus.com/bid/106835)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7309)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-7309"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.5,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-7309"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24155"
},
{
"title": "MISC",
"url": "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106835"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7309"
}
],
"creationTime": "2020-08-19T09:34:43.910480Z",
"modificationTime": "2020-08-19T13:31:59.648898Z",
"publicationTime": "2019-02-03T16:14:42Z",
"disclosureTime": "2019-02-03T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356366",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Input Validation",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2016-10228)\n- [OSS security Advisory](http://openwall.com/lists/oss-security/2017/03/01/10)\n- [Security Focus](http://www.securityfocus.com/bid/96525)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10228)\n- [https://sourceware.org/bugzilla/show_bug.cgi?id=19519](https://sourceware.org/bugzilla/show_bug.cgi?id=19519)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2016-10228"
],
"CWE": [
"CWE-20"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
},
{
"title": "https://sourceware.org/bugzilla/show_bug.cgi?id=19519",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=19519"
},
{
"title": "OSS security Advisory",
"url": "http://openwall.com/lists/oss-security/2017/03/01/10"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/96525"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10228"
}
],
"creationTime": "2020-08-19T09:23:45.919566Z",
"modificationTime": "2020-08-19T13:34:26.920545Z",
"publicationTime": "2017-03-02T01:59:00Z",
"disclosureTime": "2017-03-02T01:59:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356370",
"nvdSeverity": "medium",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.\n\n## References\n- [Debian Bug Report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2015-8985)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/201908-06)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2017/02/14/9)\n- [Security Focus](http://www.securityfocus.com/bid/76916)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-8985)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2015-8985"
],
"CWE": [
"CWE-19"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Bug Report",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2015-8985"
},
{
"title": "Gentoo Security Advisory",
"url": "https://security.gentoo.org/glsa/201908-06"
},
{
"title": "OSS security Advisory",
"url": "http://www.openwall.com/lists/oss-security/2017/02/14/9"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/76916"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-8985"
}
],
"creationTime": "2020-08-19T09:24:07.629730Z",
"modificationTime": "2020-08-19T13:26:36.413956Z",
"publicationTime": "2017-03-20T16:59:00Z",
"disclosureTime": "2017-03-20T16:59:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356500",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2017-12132)\n- [MISC](https://arxiv.org/pdf/1205.4011.pdf)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=21361)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:0805)\n- [Security Focus](http://www.securityfocus.com/bid/100598)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12132)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2017-12132"
],
"CWE": [
"CWE-19"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-12132"
},
{
"title": "MISC",
"url": "https://arxiv.org/pdf/1205.4011.pdf"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=21361"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:0805"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/100598"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12132"
}
],
"creationTime": "2020-08-19T09:28:13.065297Z",
"modificationTime": "2020-08-19T13:33:37.919311Z",
"publicationTime": "2017-08-01T16:29:00Z",
"disclosureTime": "2017-08-01T16:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356559",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=22343)\n- [Debian Bug Report](http://bugs.debian.org/878159)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-6485)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n- [Oracle Security Advisory](https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html)\n- [REDHAT](https://access.redhat.com/errata/RHBA-2019:0327)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:3092)\n- [Security Focus](http://www.securityfocus.com/bid/102912)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4218-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-6485"
],
"CWE": [
"CWE-190",
"CWE-787"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22343"
},
{
"title": "Debian Bug Report",
"url": "http://bugs.debian.org/878159"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-6485"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
},
{
"title": "Oracle Security Advisory",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"title": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:3092"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/102912"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/4218-1/"
}
],
"creationTime": "2020-08-19T09:25:30.277984Z",
"modificationTime": "2020-08-19T13:29:26.891299Z",
"publicationTime": "2018-02-01T14:29:00Z",
"disclosureTime": "2018-02-01T14:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356602",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Resource Shutdown or Release",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-6488)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24097)\n- [Security Focus](http://www.securityfocus.com/bid/106671)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-6488"
],
"CWE": [
"CWE-404"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.8,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-6488"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24097"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106671"
}
],
"creationTime": "2020-08-19T09:34:39.468978Z",
"modificationTime": "2020-08-19T13:31:59.043038Z",
"publicationTime": "2019-01-19T14:43:33Z",
"disclosureTime": "2019-01-18T19:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356631",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nStack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.\n\n## References\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/515589/100/0/threaded)\n- [Cert Vulnerability Note](http://www.kb.cert.org/vuls/id/912279)\n- [Dead Link](http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4052)\n- [Exploit DB](http://www.exploit-db.com/exploits/15935)\n- [MISC](http://cxib.net/stuff/proftpd.gnu.c)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=645859)\n- [SECTRACK](http://securitytracker.com/id?1024832)\n- [SREASON](http://securityreason.com/securityalert/8003)\n- [SREASONRES](http://securityreason.com/achievement_securityalert/93)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2011/Jan/78)\n- [Secunia Advisory](http://secunia.com/advisories/42547)\n- [Security Focus](http://www.securityfocus.com/bid/45233)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4052"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F",
"patches": [],
"references": [
{
"title": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"
},
{
"title": "Cert Vulnerability Note",
"url": "http://www.kb.cert.org/vuls/id/912279"
},
{
"title": "Dead Link",
"url": "http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
},
{
"title": "Exploit DB",
"url": "http://www.exploit-db.com/exploits/15935"
},
{
"title": "MISC",
"url": "http://cxib.net/stuff/proftpd.gnu.c"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"
},
{
"title": "Seclists Full Disclosure",
"url": "http://seclists.org/fulldisclosure/2011/Jan/78"
},
{
"title": "SECTRACK",
"url": "http://securitytracker.com/id?1024832"
},
{
"title": "Secunia Advisory",
"url": "http://secunia.com/advisories/42547"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/45233"
},
{
"title": "SREASON",
"url": "http://securityreason.com/securityalert/8003"
},
{
"title": "SREASONRES",
"url": "http://securityreason.com/achievement_securityalert/93"
}
],
"creationTime": "2020-08-19T09:28:26.674545Z",
"modificationTime": "2020-08-19T13:28:29.798340Z",
"publicationTime": "2011-01-13T19:00:00Z",
"disclosureTime": "2011-01-13T19:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356670",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Functional",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Input Validation",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2016-10739)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=20018)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:2118)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1347549)\n- [Security Focus](http://www.securityfocus.com/bid/106672)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10739)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2016-10739"
],
"CWE": [
"CWE-20"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10739"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1347549"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2019:2118"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106672"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10739"
}
],
"creationTime": "2020-08-19T09:34:39.657052Z",
"modificationTime": "2020-08-19T13:31:49.173157Z",
"publicationTime": "2019-01-21T19:29:00Z",
"disclosureTime": "2019-01-21T19:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356682",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4756"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 4.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4756"
},
{
"title": "http://cxib.net/stuff/glob-0day.c",
"url": "http://cxib.net/stuff/glob-0day.c"
},
{
"title": "http://securityreason.com/achievement_securityalert/89",
"url": "http://securityreason.com/achievement_securityalert/89"
},
{
"title": "http://securityreason.com/exploitalert/9223",
"url": "http://securityreason.com/exploitalert/9223"
}
],
"creationTime": "2020-08-19T09:32:45.956285Z",
"modificationTime": "2020-08-19T13:37:14.998362Z",
"publicationTime": "2011-03-02T20:00:00Z",
"disclosureTime": "2011-03-02T20:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356734",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-1000001)\n- [Exploit DB](https://www.exploit-db.com/exploits/43775/)\n- [Exploit DB](https://www.exploit-db.com/exploits/44889/)\n- [MISC](https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n- [Oss-Sec Mailing List](http://seclists.org/oss-sec/2018/q1/38)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:0805)\n- [Security Focus](http://www.securityfocus.com/bid/102525)\n- [Security Tracker](http://www.securitytracker.com/id/1040162)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3534-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3536-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-1000001"
],
"CWE": [
"CWE-119"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 7.8,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
},
{
"title": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/43775/"
},
{
"title": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/44889/"
},
{
"title": "MISC",
"url": "https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
},
{
"title": "Oss-Sec Mailing List",
"url": "http://seclists.org/oss-sec/2018/q1/38"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:0805"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/102525"
},
{
"title": "Security Tracker",
"url": "http://www.securitytracker.com/id/1040162"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/3534-1/"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/3536-1/"
}
],
"creationTime": "2020-08-19T09:30:20.010782Z",
"modificationTime": "2020-08-19T13:32:47.826639Z",
"publicationTime": "2018-01-10T00:00:00Z",
"disclosureTime": "2018-01-10T00:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356851",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Functional",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=22774)\n- [CONFIRM](https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=8e448310d74b283c5cd02b9ed7fb997b47bf9b22)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-6551)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-6551"
],
"CWE": [
"CWE-190",
"CWE-787"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22774"
},
{
"title": "CONFIRM",
"url": "https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=8e448310d74b283c5cd02b9ed7fb997b47bf9b22"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-6551"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
}
],
"creationTime": "2020-08-19T09:22:21.085646Z",
"modificationTime": "2020-08-19T13:31:56.080160Z",
"publicationTime": "2018-02-02T14:29:00Z",
"disclosureTime": "2018-02-02T14:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356862",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "CVE-2010-4051",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"\n\n## References\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/515589/100/0/threaded)\n- [Cert Vulnerability Note](http://www.kb.cert.org/vuls/id/912279)\n- [Dead Link](http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4051)\n- [Exploit DB](http://www.exploit-db.com/exploits/15935)\n- [MISC](http://cxib.net/stuff/proftpd.gnu.c)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=645859)\n- [SECTRACK](http://securitytracker.com/id?1024832)\n- [SREASON](http://securityreason.com/securityalert/8003)\n- [SREASONRES](http://securityreason.com/achievement_securityalert/93)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2011/Jan/78)\n- [Secunia Advisory](http://secunia.com/advisories/42547)\n- [Security Focus](http://www.securityfocus.com/bid/45233)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4051"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"patches": [],
"references": [
{
"title": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"
},
{
"title": "Cert Vulnerability Note",
"url": "http://www.kb.cert.org/vuls/id/912279"
},
{
"title": "Dead Link",
"url": "http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4051"
},
{
"title": "Exploit DB",
"url": "http://www.exploit-db.com/exploits/15935"
},
{
"title": "MISC",
"url": "http://cxib.net/stuff/proftpd.gnu.c"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"
},
{
"title": "Seclists Full Disclosure",
"url": "http://seclists.org/fulldisclosure/2011/Jan/78"
},
{
"title": "SECTRACK",
"url": "http://securitytracker.com/id?1024832"
},
{
"title": "Secunia Advisory",
"url": "http://secunia.com/advisories/42547"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/45233"
},
{
"title": "SREASON",
"url": "http://securityreason.com/securityalert/8003"
},
{
"title": "SREASONRES",
"url": "http://securityreason.com/achievement_securityalert/93"
}
],
"creationTime": "2020-08-19T09:31:16.747359Z",
"modificationTime": "2020-08-19T13:30:19.293795Z",
"publicationTime": "2011-01-13T19:00:00Z",
"disclosureTime": "2011-01-13T19:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356874",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Access Restriction Bypass",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010023)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22851)\n- [Security Focus](http://www.securityfocus.com/bid/109167)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010023"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 8.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010023"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/109167"
}
],
"creationTime": "2020-08-19T09:35:27.628543Z",
"modificationTime": "2020-08-19T13:33:07.445070Z",
"publicationTime": "2019-07-24T09:36:38.241516Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453121",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010022)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010022"
],
"CWE": [
"CWE-119"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
}
],
"creationTime": "2020-08-19T09:35:26.747149Z",
"modificationTime": "2020-08-19T13:29:20.178601Z",
"publicationTime": "2019-07-24T09:33:32.251091Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453364",
"nvdSeverity": "critical",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Use of Insufficiently Random Values",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010025)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22853)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010025"
],
"CWE": [
"CWE-330"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097"
},
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010025"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
}
],
"creationTime": "2020-08-19T09:35:27.016766Z",
"modificationTime": "2020-08-19T13:35:28.490999Z",
"publicationTime": "2019-07-24T09:33:59.230537Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453579",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010024)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22852)\n- [Security Focus](http://www.securityfocus.com/bid/109162)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010024"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010024"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/109162"
}
],
"creationTime": "2020-08-19T09:35:29.520948Z",
"modificationTime": "2020-08-19T13:36:54.308319Z",
"publicationTime": "2019-07-24T09:44:44.882448Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453766",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nOn the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-19126)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25204)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-19126"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 3.3,
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-19126"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/"
},
{
"title": "Fedora Security Update",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25204"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126"
}
],
"creationTime": "2020-08-19T09:36:11.418236Z",
"modificationTime": "2020-08-19T13:37:12.264542Z",
"publicationTime": "2019-11-20T10:34:14.402456Z",
"disclosureTime": "2019-11-19T22:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-534996",
"nvdSeverity": "low",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.\n\n## References\n- [ADVISORY](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10029)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-10029)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTFUD5VH2GU3YOXA2KBQSBIDZRDWNZ3/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU5JJGENOK7K4X5RYAA5PL647C6HD22E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/23N76M3EDP2GIW4GOIQRYTKRE7PPBRB2/)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25487)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=9333498794cde1d5cca518badf79533a24114b6f)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200327-0003/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-10029"
],
"CWE": [
"CWE-119"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.5,
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10029"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-10029"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTFUD5VH2GU3YOXA2KBQSBIDZRDWNZ3/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU5JJGENOK7K4X5RYAA5PL647C6HD22E/"
},
{
"title": "Fedora Security Update",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/23N76M3EDP2GIW4GOIQRYTKRE7PPBRB2/"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25487"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=9333498794cde1d5cca518badf79533a24114b6f"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200327-0003/"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
}
],
"creationTime": "2020-08-19T09:36:38.031284Z",
"modificationTime": "2020-08-19T13:35:51.702733Z",
"publicationTime": "2020-03-04T19:23:06.877128Z",
"disclosureTime": "2020-03-04T15:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559182",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.\n\n## References\n- [ADVISORY](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-1751)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25423)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200430-0002/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-1751"
],
"CWE": [
"CWE-787"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7,
"CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-1751"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25423"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200430-0002/"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
}
],
"creationTime": "2020-08-19T09:36:38.582570Z",
"modificationTime": "2020-08-19T13:27:06.154738Z",
"publicationTime": "2020-03-07T09:28:25.311127Z",
"disclosureTime": "2020-04-17T19:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559491",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Use After Free",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nA use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=25414)\n- [CONFIRM](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-1752)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200511-0005/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-1752"
],
"CWE": [
"CWE-416"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7,
"CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25414"
},
{
"title": "CONFIRM",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-1752"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200511-0005/"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752"
}
],
"creationTime": "2020-08-19T09:36:38.539517Z",
"modificationTime": "2020-08-19T13:34:55.539347Z",
"publicationTime": "2020-03-07T09:28:24.292716Z",
"disclosureTime": "2020-04-30T17:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559495",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Integer Underflow",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-6096)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25620)\n- [MISC](https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-6096"
],
"CWE": [
"CWE-191"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 8.1,
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-6096"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25620"
},
{
"title": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019"
}
],
"creationTime": "2020-08-19T09:36:43.808661Z",
"modificationTime": "2020-08-19T13:38:32.204283Z",
"publicationTime": "2020-04-02T10:24:04.497109Z",
"disclosureTime": "2020-04-01T22:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-564230",
"nvdSeverity": "high",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Uncontrolled Recursion",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\n** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9192)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24269)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-9192"
],
"CWE": [
"CWE-674"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-9192"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192"
}
],
"creationTime": "2020-08-19T09:34:51.311272Z",
"modificationTime": "2020-08-19T13:34:23.609181Z",
"publicationTime": "2019-02-26T18:29:00Z",
"disclosureTime": "2019-02-26T18:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338103",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K64119434)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2009-5155)\n- [MISC](http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=11053)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=18986)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2009-5155"
],
"CWE": [
"CWE-19"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K64119434"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2009-5155"
},
{
"title": "MISC",
"url": "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=11053"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18986"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155"
}
],
"creationTime": "2020-08-19T09:34:51.439546Z",
"modificationTime": "2020-08-19T13:31:00.372152Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338160",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Read",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.\n\n## References\n- [CONFIRM](https://kc.mcafee.com/corporate/index?page=content&id=SB10278)\n- [CONFIRM](https://support.f5.com/csp/article/K54823184)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9169)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24114)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=583dd860d5b833037175247230a328f0050dbfe9)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9169)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-9169"
],
"CWE": [
"CWE-125"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10278"
},
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K54823184"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-9169"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24114"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=583dd860d5b833037175247230a328f0050dbfe9"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/107160"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9169"
}
],
"creationTime": "2020-08-19T09:34:51.379318Z",
"modificationTime": "2020-08-19T13:36:47.683247Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338164",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-20796)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141)\n- [MISC](https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-20796"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-20796"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141"
},
{
"title": "MISC",
"url": "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/107160"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796"
}
],
"creationTime": "2020-08-19T09:34:51.479989Z",
"modificationTime": "2020-08-19T13:37:12.397231Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338175",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-7309)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24155)\n- [MISC](https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html)\n- [Security Focus](http://www.securityfocus.com/bid/106835)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7309)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-7309"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.5,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-7309"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24155"
},
{
"title": "MISC",
"url": "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106835"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7309"
}
],
"creationTime": "2020-08-19T09:34:43.910480Z",
"modificationTime": "2020-08-19T13:31:59.648898Z",
"publicationTime": "2019-02-03T16:14:42Z",
"disclosureTime": "2019-02-03T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356366",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Input Validation",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2016-10228)\n- [OSS security Advisory](http://openwall.com/lists/oss-security/2017/03/01/10)\n- [Security Focus](http://www.securityfocus.com/bid/96525)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10228)\n- [https://sourceware.org/bugzilla/show_bug.cgi?id=19519](https://sourceware.org/bugzilla/show_bug.cgi?id=19519)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2016-10228"
],
"CWE": [
"CWE-20"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
},
{
"title": "https://sourceware.org/bugzilla/show_bug.cgi?id=19519",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=19519"
},
{
"title": "OSS security Advisory",
"url": "http://openwall.com/lists/oss-security/2017/03/01/10"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/96525"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10228"
}
],
"creationTime": "2020-08-19T09:23:45.919566Z",
"modificationTime": "2020-08-19T13:34:26.920545Z",
"publicationTime": "2017-03-02T01:59:00Z",
"disclosureTime": "2017-03-02T01:59:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356370",
"nvdSeverity": "medium",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.\n\n## References\n- [Debian Bug Report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2015-8985)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/201908-06)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2017/02/14/9)\n- [Security Focus](http://www.securityfocus.com/bid/76916)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-8985)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2015-8985"
],
"CWE": [
"CWE-19"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Bug Report",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2015-8985"
},
{
"title": "Gentoo Security Advisory",
"url": "https://security.gentoo.org/glsa/201908-06"
},
{
"title": "OSS security Advisory",
"url": "http://www.openwall.com/lists/oss-security/2017/02/14/9"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/76916"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-8985"
}
],
"creationTime": "2020-08-19T09:24:07.629730Z",
"modificationTime": "2020-08-19T13:26:36.413956Z",
"publicationTime": "2017-03-20T16:59:00Z",
"disclosureTime": "2017-03-20T16:59:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356500",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2017-12132)\n- [MISC](https://arxiv.org/pdf/1205.4011.pdf)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=21361)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:0805)\n- [Security Focus](http://www.securityfocus.com/bid/100598)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12132)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2017-12132"
],
"CWE": [
"CWE-19"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-12132"
},
{
"title": "MISC",
"url": "https://arxiv.org/pdf/1205.4011.pdf"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=21361"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:0805"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/100598"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12132"
}
],
"creationTime": "2020-08-19T09:28:13.065297Z",
"modificationTime": "2020-08-19T13:33:37.919311Z",
"publicationTime": "2017-08-01T16:29:00Z",
"disclosureTime": "2017-08-01T16:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356559",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=22343)\n- [Debian Bug Report](http://bugs.debian.org/878159)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-6485)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n- [Oracle Security Advisory](https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html)\n- [REDHAT](https://access.redhat.com/errata/RHBA-2019:0327)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:3092)\n- [Security Focus](http://www.securityfocus.com/bid/102912)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4218-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-6485"
],
"CWE": [
"CWE-190",
"CWE-787"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22343"
},
{
"title": "Debian Bug Report",
"url": "http://bugs.debian.org/878159"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-6485"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
},
{
"title": "Oracle Security Advisory",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"title": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:3092"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/102912"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/4218-1/"
}
],
"creationTime": "2020-08-19T09:25:30.277984Z",
"modificationTime": "2020-08-19T13:29:26.891299Z",
"publicationTime": "2018-02-01T14:29:00Z",
"disclosureTime": "2018-02-01T14:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356602",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Resource Shutdown or Release",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-6488)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24097)\n- [Security Focus](http://www.securityfocus.com/bid/106671)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-6488"
],
"CWE": [
"CWE-404"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.8,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-6488"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24097"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106671"
}
],
"creationTime": "2020-08-19T09:34:39.468978Z",
"modificationTime": "2020-08-19T13:31:59.043038Z",
"publicationTime": "2019-01-19T14:43:33Z",
"disclosureTime": "2019-01-18T19:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356631",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nStack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.\n\n## References\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/515589/100/0/threaded)\n- [Cert Vulnerability Note](http://www.kb.cert.org/vuls/id/912279)\n- [Dead Link](http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4052)\n- [Exploit DB](http://www.exploit-db.com/exploits/15935)\n- [MISC](http://cxib.net/stuff/proftpd.gnu.c)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=645859)\n- [SECTRACK](http://securitytracker.com/id?1024832)\n- [SREASON](http://securityreason.com/securityalert/8003)\n- [SREASONRES](http://securityreason.com/achievement_securityalert/93)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2011/Jan/78)\n- [Secunia Advisory](http://secunia.com/advisories/42547)\n- [Security Focus](http://www.securityfocus.com/bid/45233)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4052"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F",
"patches": [],
"references": [
{
"title": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"
},
{
"title": "Cert Vulnerability Note",
"url": "http://www.kb.cert.org/vuls/id/912279"
},
{
"title": "Dead Link",
"url": "http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
},
{
"title": "Exploit DB",
"url": "http://www.exploit-db.com/exploits/15935"
},
{
"title": "MISC",
"url": "http://cxib.net/stuff/proftpd.gnu.c"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"
},
{
"title": "Seclists Full Disclosure",
"url": "http://seclists.org/fulldisclosure/2011/Jan/78"
},
{
"title": "SECTRACK",
"url": "http://securitytracker.com/id?1024832"
},
{
"title": "Secunia Advisory",
"url": "http://secunia.com/advisories/42547"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/45233"
},
{
"title": "SREASON",
"url": "http://securityreason.com/securityalert/8003"
},
{
"title": "SREASONRES",
"url": "http://securityreason.com/achievement_securityalert/93"
}
],
"creationTime": "2020-08-19T09:28:26.674545Z",
"modificationTime": "2020-08-19T13:28:29.798340Z",
"publicationTime": "2011-01-13T19:00:00Z",
"disclosureTime": "2011-01-13T19:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356670",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Functional",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Input Validation",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2016-10739)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=20018)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:2118)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1347549)\n- [Security Focus](http://www.securityfocus.com/bid/106672)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10739)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2016-10739"
],
"CWE": [
"CWE-20"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10739"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1347549"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2019:2118"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106672"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10739"
}
],
"creationTime": "2020-08-19T09:34:39.657052Z",
"modificationTime": "2020-08-19T13:31:49.173157Z",
"publicationTime": "2019-01-21T19:29:00Z",
"disclosureTime": "2019-01-21T19:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356682",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4756"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 4.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4756"
},
{
"title": "http://cxib.net/stuff/glob-0day.c",
"url": "http://cxib.net/stuff/glob-0day.c"
},
{
"title": "http://securityreason.com/achievement_securityalert/89",
"url": "http://securityreason.com/achievement_securityalert/89"
},
{
"title": "http://securityreason.com/exploitalert/9223",
"url": "http://securityreason.com/exploitalert/9223"
}
],
"creationTime": "2020-08-19T09:32:45.956285Z",
"modificationTime": "2020-08-19T13:37:14.998362Z",
"publicationTime": "2011-03-02T20:00:00Z",
"disclosureTime": "2011-03-02T20:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356734",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-1000001)\n- [Exploit DB](https://www.exploit-db.com/exploits/43775/)\n- [Exploit DB](https://www.exploit-db.com/exploits/44889/)\n- [MISC](https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n- [Oss-Sec Mailing List](http://seclists.org/oss-sec/2018/q1/38)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:0805)\n- [Security Focus](http://www.securityfocus.com/bid/102525)\n- [Security Tracker](http://www.securitytracker.com/id/1040162)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3534-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3536-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-1000001"
],
"CWE": [
"CWE-119"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 7.8,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
},
{
"title": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/43775/"
},
{
"title": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/44889/"
},
{
"title": "MISC",
"url": "https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
},
{
"title": "Oss-Sec Mailing List",
"url": "http://seclists.org/oss-sec/2018/q1/38"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:0805"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/102525"
},
{
"title": "Security Tracker",
"url": "http://www.securitytracker.com/id/1040162"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/3534-1/"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/3536-1/"
}
],
"creationTime": "2020-08-19T09:30:20.010782Z",
"modificationTime": "2020-08-19T13:32:47.826639Z",
"publicationTime": "2018-01-10T00:00:00Z",
"disclosureTime": "2018-01-10T00:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356851",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Functional",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=22774)\n- [CONFIRM](https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=8e448310d74b283c5cd02b9ed7fb997b47bf9b22)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-6551)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-6551"
],
"CWE": [
"CWE-190",
"CWE-787"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22774"
},
{
"title": "CONFIRM",
"url": "https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=8e448310d74b283c5cd02b9ed7fb997b47bf9b22"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-6551"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
}
],
"creationTime": "2020-08-19T09:22:21.085646Z",
"modificationTime": "2020-08-19T13:31:56.080160Z",
"publicationTime": "2018-02-02T14:29:00Z",
"disclosureTime": "2018-02-02T14:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356862",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "CVE-2010-4051",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"\n\n## References\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/515589/100/0/threaded)\n- [Cert Vulnerability Note](http://www.kb.cert.org/vuls/id/912279)\n- [Dead Link](http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4051)\n- [Exploit DB](http://www.exploit-db.com/exploits/15935)\n- [MISC](http://cxib.net/stuff/proftpd.gnu.c)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=645859)\n- [SECTRACK](http://securitytracker.com/id?1024832)\n- [SREASON](http://securityreason.com/securityalert/8003)\n- [SREASONRES](http://securityreason.com/achievement_securityalert/93)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2011/Jan/78)\n- [Secunia Advisory](http://secunia.com/advisories/42547)\n- [Security Focus](http://www.securityfocus.com/bid/45233)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4051"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"patches": [],
"references": [
{
"title": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"
},
{
"title": "Cert Vulnerability Note",
"url": "http://www.kb.cert.org/vuls/id/912279"
},
{
"title": "Dead Link",
"url": "http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4051"
},
{
"title": "Exploit DB",
"url": "http://www.exploit-db.com/exploits/15935"
},
{
"title": "MISC",
"url": "http://cxib.net/stuff/proftpd.gnu.c"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"
},
{
"title": "Seclists Full Disclosure",
"url": "http://seclists.org/fulldisclosure/2011/Jan/78"
},
{
"title": "SECTRACK",
"url": "http://securitytracker.com/id?1024832"
},
{
"title": "Secunia Advisory",
"url": "http://secunia.com/advisories/42547"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/45233"
},
{
"title": "SREASON",
"url": "http://securityreason.com/securityalert/8003"
},
{
"title": "SREASONRES",
"url": "http://securityreason.com/achievement_securityalert/93"
}
],
"creationTime": "2020-08-19T09:31:16.747359Z",
"modificationTime": "2020-08-19T13:30:19.293795Z",
"publicationTime": "2011-01-13T19:00:00Z",
"disclosureTime": "2011-01-13T19:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356874",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Access Restriction Bypass",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010023)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22851)\n- [Security Focus](http://www.securityfocus.com/bid/109167)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010023"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 8.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010023"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/109167"
}
],
"creationTime": "2020-08-19T09:35:27.628543Z",
"modificationTime": "2020-08-19T13:33:07.445070Z",
"publicationTime": "2019-07-24T09:36:38.241516Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453121",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010022)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010022"
],
"CWE": [
"CWE-119"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
}
],
"creationTime": "2020-08-19T09:35:26.747149Z",
"modificationTime": "2020-08-19T13:29:20.178601Z",
"publicationTime": "2019-07-24T09:33:32.251091Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453364",
"nvdSeverity": "critical",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Use of Insufficiently Random Values",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010025)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22853)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010025"
],
"CWE": [
"CWE-330"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097"
},
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010025"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
}
],
"creationTime": "2020-08-19T09:35:27.016766Z",
"modificationTime": "2020-08-19T13:35:28.490999Z",
"publicationTime": "2019-07-24T09:33:59.230537Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453579",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010024)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22852)\n- [Security Focus](http://www.securityfocus.com/bid/109162)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010024"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010024"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/109162"
}
],
"creationTime": "2020-08-19T09:35:29.520948Z",
"modificationTime": "2020-08-19T13:36:54.308319Z",
"publicationTime": "2019-07-24T09:44:44.882448Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453766",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nOn the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-19126)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25204)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-19126"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 3.3,
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-19126"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/"
},
{
"title": "Fedora Security Update",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25204"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126"
}
],
"creationTime": "2020-08-19T09:36:11.418236Z",
"modificationTime": "2020-08-19T13:37:12.264542Z",
"publicationTime": "2019-11-20T10:34:14.402456Z",
"disclosureTime": "2019-11-19T22:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-534996",
"nvdSeverity": "low",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.\n\n## References\n- [ADVISORY](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10029)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-10029)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTFUD5VH2GU3YOXA2KBQSBIDZRDWNZ3/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU5JJGENOK7K4X5RYAA5PL647C6HD22E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/23N76M3EDP2GIW4GOIQRYTKRE7PPBRB2/)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25487)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=9333498794cde1d5cca518badf79533a24114b6f)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200327-0003/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-10029"
],
"CWE": [
"CWE-119"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.5,
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10029"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-10029"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTFUD5VH2GU3YOXA2KBQSBIDZRDWNZ3/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU5JJGENOK7K4X5RYAA5PL647C6HD22E/"
},
{
"title": "Fedora Security Update",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/23N76M3EDP2GIW4GOIQRYTKRE7PPBRB2/"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25487"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=9333498794cde1d5cca518badf79533a24114b6f"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200327-0003/"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
}
],
"creationTime": "2020-08-19T09:36:38.031284Z",
"modificationTime": "2020-08-19T13:35:51.702733Z",
"publicationTime": "2020-03-04T19:23:06.877128Z",
"disclosureTime": "2020-03-04T15:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559182",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.\n\n## References\n- [ADVISORY](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-1751)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25423)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200430-0002/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-1751"
],
"CWE": [
"CWE-787"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7,
"CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-1751"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25423"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200430-0002/"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
}
],
"creationTime": "2020-08-19T09:36:38.582570Z",
"modificationTime": "2020-08-19T13:27:06.154738Z",
"publicationTime": "2020-03-07T09:28:25.311127Z",
"disclosureTime": "2020-04-17T19:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559491",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Use After Free",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nA use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=25414)\n- [CONFIRM](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-1752)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200511-0005/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-1752"
],
"CWE": [
"CWE-416"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7,
"CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25414"
},
{
"title": "CONFIRM",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-1752"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200511-0005/"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752"
}
],
"creationTime": "2020-08-19T09:36:38.539517Z",
"modificationTime": "2020-08-19T13:34:55.539347Z",
"publicationTime": "2020-03-07T09:28:24.292716Z",
"disclosureTime": "2020-04-30T17:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559495",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Integer Underflow",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-6096)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25620)\n- [MISC](https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-6096"
],
"CWE": [
"CWE-191"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 8.1,
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-6096"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25620"
},
{
"title": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019"
}
],
"creationTime": "2020-08-19T09:36:43.808661Z",
"modificationTime": "2020-08-19T13:38:32.204283Z",
"publicationTime": "2020-04-02T10:24:04.497109Z",
"disclosureTime": "2020-04-01T22:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-564230",
"nvdSeverity": "high",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Uncontrolled Recursion",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\n** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9192)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24269)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-9192"
],
"CWE": [
"CWE-674"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-9192"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192"
}
],
"creationTime": "2020-08-19T09:34:51.311272Z",
"modificationTime": "2020-08-19T13:34:23.609181Z",
"publicationTime": "2019-02-26T18:29:00Z",
"disclosureTime": "2019-02-26T18:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338103",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K64119434)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2009-5155)\n- [MISC](http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=11053)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=18986)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2009-5155"
],
"CWE": [
"CWE-19"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K64119434"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2009-5155"
},
{
"title": "MISC",
"url": "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=11053"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18986"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155"
}
],
"creationTime": "2020-08-19T09:34:51.439546Z",
"modificationTime": "2020-08-19T13:31:00.372152Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338160",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Read",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.\n\n## References\n- [CONFIRM](https://kc.mcafee.com/corporate/index?page=content&id=SB10278)\n- [CONFIRM](https://support.f5.com/csp/article/K54823184)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9169)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24114)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=583dd860d5b833037175247230a328f0050dbfe9)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9169)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-9169"
],
"CWE": [
"CWE-125"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10278"
},
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K54823184"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-9169"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24114"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=583dd860d5b833037175247230a328f0050dbfe9"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/107160"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9169"
}
],
"creationTime": "2020-08-19T09:34:51.379318Z",
"modificationTime": "2020-08-19T13:36:47.683247Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338164",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-20796)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141)\n- [MISC](https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-20796"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.5,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-20796"
},
{
"title": "MISC",
"url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141"
},
{
"title": "MISC",
"url": "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190315-0002/"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/107160"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796"
}
],
"creationTime": "2020-08-19T09:34:51.479989Z",
"modificationTime": "2020-08-19T13:37:12.397231Z",
"publicationTime": "2019-02-26T02:29:00Z",
"disclosureTime": "2019-02-26T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-338175",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-7309)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24155)\n- [MISC](https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html)\n- [Security Focus](http://www.securityfocus.com/bid/106835)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7309)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-7309"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.5,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-7309"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24155"
},
{
"title": "MISC",
"url": "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106835"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7309"
}
],
"creationTime": "2020-08-19T09:34:43.910480Z",
"modificationTime": "2020-08-19T13:31:59.648898Z",
"publicationTime": "2019-02-03T16:14:42Z",
"disclosureTime": "2019-02-03T02:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356366",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Input Validation",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2016-10228)\n- [OSS security Advisory](http://openwall.com/lists/oss-security/2017/03/01/10)\n- [Security Focus](http://www.securityfocus.com/bid/96525)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10228)\n- [https://sourceware.org/bugzilla/show_bug.cgi?id=19519](https://sourceware.org/bugzilla/show_bug.cgi?id=19519)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2016-10228"
],
"CWE": [
"CWE-20"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
},
{
"title": "https://sourceware.org/bugzilla/show_bug.cgi?id=19519",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=19519"
},
{
"title": "OSS security Advisory",
"url": "http://openwall.com/lists/oss-security/2017/03/01/10"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/96525"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10228"
}
],
"creationTime": "2020-08-19T09:23:45.919566Z",
"modificationTime": "2020-08-19T13:34:26.920545Z",
"publicationTime": "2017-03-02T01:59:00Z",
"disclosureTime": "2017-03-02T01:59:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356370",
"nvdSeverity": "medium",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.\n\n## References\n- [Debian Bug Report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2015-8985)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/201908-06)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2017/02/14/9)\n- [Security Focus](http://www.securityfocus.com/bid/76916)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-8985)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2015-8985"
],
"CWE": [
"CWE-19"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "Debian Bug Report",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2015-8985"
},
{
"title": "Gentoo Security Advisory",
"url": "https://security.gentoo.org/glsa/201908-06"
},
{
"title": "OSS security Advisory",
"url": "http://www.openwall.com/lists/oss-security/2017/02/14/9"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/76916"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-8985"
}
],
"creationTime": "2020-08-19T09:24:07.629730Z",
"modificationTime": "2020-08-19T13:26:36.413956Z",
"publicationTime": "2017-03-20T16:59:00Z",
"disclosureTime": "2017-03-20T16:59:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356500",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Data Handling",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2017-12132)\n- [MISC](https://arxiv.org/pdf/1205.4011.pdf)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=21361)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:0805)\n- [Security Focus](http://www.securityfocus.com/bid/100598)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12132)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2017-12132"
],
"CWE": [
"CWE-19"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 5.9,
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-12132"
},
{
"title": "MISC",
"url": "https://arxiv.org/pdf/1205.4011.pdf"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=21361"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:0805"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/100598"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12132"
}
],
"creationTime": "2020-08-19T09:28:13.065297Z",
"modificationTime": "2020-08-19T13:33:37.919311Z",
"publicationTime": "2017-08-01T16:29:00Z",
"disclosureTime": "2017-08-01T16:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356559",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=22343)\n- [Debian Bug Report](http://bugs.debian.org/878159)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-6485)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n- [Oracle Security Advisory](https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html)\n- [REDHAT](https://access.redhat.com/errata/RHBA-2019:0327)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:3092)\n- [Security Focus](http://www.securityfocus.com/bid/102912)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4218-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-6485"
],
"CWE": [
"CWE-190",
"CWE-787"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22343"
},
{
"title": "Debian Bug Report",
"url": "http://bugs.debian.org/878159"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-6485"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
},
{
"title": "Oracle Security Advisory",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"title": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:3092"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/102912"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/4218-1/"
}
],
"creationTime": "2020-08-19T09:25:30.277984Z",
"modificationTime": "2020-08-19T13:29:26.891299Z",
"publicationTime": "2018-02-01T14:29:00Z",
"disclosureTime": "2018-02-01T14:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356602",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Resource Shutdown or Release",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-6488)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24097)\n- [Security Focus](http://www.securityfocus.com/bid/106671)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-6488"
],
"CWE": [
"CWE-404"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 7.8,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-6488"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24097"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106671"
}
],
"creationTime": "2020-08-19T09:34:39.468978Z",
"modificationTime": "2020-08-19T13:31:59.043038Z",
"publicationTime": "2019-01-19T14:43:33Z",
"disclosureTime": "2019-01-18T19:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356631",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nStack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.\n\n## References\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/515589/100/0/threaded)\n- [Cert Vulnerability Note](http://www.kb.cert.org/vuls/id/912279)\n- [Dead Link](http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4052)\n- [Exploit DB](http://www.exploit-db.com/exploits/15935)\n- [MISC](http://cxib.net/stuff/proftpd.gnu.c)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=645859)\n- [SECTRACK](http://securitytracker.com/id?1024832)\n- [SREASON](http://securityreason.com/securityalert/8003)\n- [SREASONRES](http://securityreason.com/achievement_securityalert/93)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2011/Jan/78)\n- [Secunia Advisory](http://secunia.com/advisories/42547)\n- [Security Focus](http://www.securityfocus.com/bid/45233)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4052"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F",
"patches": [],
"references": [
{
"title": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"
},
{
"title": "Cert Vulnerability Note",
"url": "http://www.kb.cert.org/vuls/id/912279"
},
{
"title": "Dead Link",
"url": "http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
},
{
"title": "Exploit DB",
"url": "http://www.exploit-db.com/exploits/15935"
},
{
"title": "MISC",
"url": "http://cxib.net/stuff/proftpd.gnu.c"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"
},
{
"title": "Seclists Full Disclosure",
"url": "http://seclists.org/fulldisclosure/2011/Jan/78"
},
{
"title": "SECTRACK",
"url": "http://securitytracker.com/id?1024832"
},
{
"title": "Secunia Advisory",
"url": "http://secunia.com/advisories/42547"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/45233"
},
{
"title": "SREASON",
"url": "http://securityreason.com/securityalert/8003"
},
{
"title": "SREASONRES",
"url": "http://securityreason.com/achievement_securityalert/93"
}
],
"creationTime": "2020-08-19T09:28:26.674545Z",
"modificationTime": "2020-08-19T13:28:29.798340Z",
"publicationTime": "2011-01-13T19:00:00Z",
"disclosureTime": "2011-01-13T19:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356670",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Functional",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Improper Input Validation",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2016-10739)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=20018)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:2118)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1347549)\n- [Security Focus](http://www.securityfocus.com/bid/106672)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10739)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2016-10739"
],
"CWE": [
"CWE-20"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10739"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1347549"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2019:2118"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/106672"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10739"
}
],
"creationTime": "2020-08-19T09:34:39.657052Z",
"modificationTime": "2020-08-19T13:31:49.173157Z",
"publicationTime": "2019-01-21T19:29:00Z",
"disclosureTime": "2019-01-21T19:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356682",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Resource Management Errors",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4756"
],
"CWE": [
"CWE-399"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 4.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4756"
},
{
"title": "http://cxib.net/stuff/glob-0day.c",
"url": "http://cxib.net/stuff/glob-0day.c"
},
{
"title": "http://securityreason.com/achievement_securityalert/89",
"url": "http://securityreason.com/achievement_securityalert/89"
},
{
"title": "http://securityreason.com/exploitalert/9223",
"url": "http://securityreason.com/exploitalert/9223"
}
],
"creationTime": "2020-08-19T09:32:45.956285Z",
"modificationTime": "2020-08-19T13:37:14.998362Z",
"publicationTime": "2011-03-02T20:00:00Z",
"disclosureTime": "2011-03-02T20:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356734",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nIn glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-1000001)\n- [Exploit DB](https://www.exploit-db.com/exploits/43775/)\n- [Exploit DB](https://www.exploit-db.com/exploits/44889/)\n- [MISC](https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n- [Oss-Sec Mailing List](http://seclists.org/oss-sec/2018/q1/38)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2018:0805)\n- [Security Focus](http://www.securityfocus.com/bid/102525)\n- [Security Tracker](http://www.securitytracker.com/id/1040162)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3534-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3536-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-1000001"
],
"CWE": [
"CWE-119"
]
},
"severity": "high",
"severityWithCritical": "high",
"cvssScore": 7.8,
"CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
},
{
"title": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/43775/"
},
{
"title": "Exploit DB",
"url": "https://www.exploit-db.com/exploits/44889/"
},
{
"title": "MISC",
"url": "https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
},
{
"title": "Oss-Sec Mailing List",
"url": "http://seclists.org/oss-sec/2018/q1/38"
},
{
"title": "RHSA Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2018:0805"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/102525"
},
{
"title": "Security Tracker",
"url": "http://www.securitytracker.com/id/1040162"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/3534-1/"
},
{
"title": "Ubuntu Security Advisory",
"url": "https://usn.ubuntu.com/3536-1/"
}
],
"creationTime": "2020-08-19T09:30:20.010782Z",
"modificationTime": "2020-08-19T13:32:47.826639Z",
"publicationTime": "2018-01-10T00:00:00Z",
"disclosureTime": "2018-01-10T00:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356851",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Functional",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=22774)\n- [CONFIRM](https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=8e448310d74b283c5cd02b9ed7fb997b47bf9b22)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-6551)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190404-0003/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2018-6551"
],
"CWE": [
"CWE-190",
"CWE-787"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22774"
},
{
"title": "CONFIRM",
"url": "https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=8e448310d74b283c5cd02b9ed7fb997b47bf9b22"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-6551"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20190404-0003/"
}
],
"creationTime": "2020-08-19T09:22:21.085646Z",
"modificationTime": "2020-08-19T13:31:56.080160Z",
"publicationTime": "2018-02-02T14:29:00Z",
"disclosureTime": "2018-02-02T14:29:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356862",
"nvdSeverity": "critical",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "CVE-2010-4051",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"\n\n## References\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/515589/100/0/threaded)\n- [Cert Vulnerability Note](http://www.kb.cert.org/vuls/id/912279)\n- [Dead Link](http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-4051)\n- [Exploit DB](http://www.exploit-db.com/exploits/15935)\n- [MISC](http://cxib.net/stuff/proftpd.gnu.c)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=645859)\n- [SECTRACK](http://securitytracker.com/id?1024832)\n- [SREASON](http://securityreason.com/securityalert/8003)\n- [SREASONRES](http://securityreason.com/achievement_securityalert/93)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2011/Jan/78)\n- [Secunia Advisory](http://secunia.com/advisories/42547)\n- [Security Focus](http://www.securityfocus.com/bid/45233)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-4051"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"patches": [],
"references": [
{
"title": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"
},
{
"title": "Cert Vulnerability Note",
"url": "http://www.kb.cert.org/vuls/id/912279"
},
{
"title": "Dead Link",
"url": "http://www.securityfocus.com/archive/1/archive/1/515589/100/0/threaded"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4051"
},
{
"title": "Exploit DB",
"url": "http://www.exploit-db.com/exploits/15935"
},
{
"title": "MISC",
"url": "http://cxib.net/stuff/proftpd.gnu.c"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"
},
{
"title": "Seclists Full Disclosure",
"url": "http://seclists.org/fulldisclosure/2011/Jan/78"
},
{
"title": "SECTRACK",
"url": "http://securitytracker.com/id?1024832"
},
{
"title": "Secunia Advisory",
"url": "http://secunia.com/advisories/42547"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/45233"
},
{
"title": "SREASON",
"url": "http://securityreason.com/securityalert/8003"
},
{
"title": "SREASONRES",
"url": "http://securityreason.com/achievement_securityalert/93"
}
],
"creationTime": "2020-08-19T09:31:16.747359Z",
"modificationTime": "2020-08-19T13:30:19.293795Z",
"publicationTime": "2011-01-13T19:00:00Z",
"disclosureTime": "2011-01-13T19:00:00Z",
"id": "SNYK-DEBIAN9-GLIBC-356874",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Access Restriction Bypass",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010023)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22851)\n- [Security Focus](http://www.securityfocus.com/bid/109167)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010023"
],
"CWE": []
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 8.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010023"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/109167"
}
],
"creationTime": "2020-08-19T09:35:27.628543Z",
"modificationTime": "2020-08-19T13:33:07.445070Z",
"publicationTime": "2019-07-24T09:36:38.241516Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453121",
"nvdSeverity": "high",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010022)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010022"
],
"CWE": [
"CWE-119"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 9.8,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
}
],
"creationTime": "2020-08-19T09:35:26.747149Z",
"modificationTime": "2020-08-19T13:29:20.178601Z",
"publicationTime": "2019-07-24T09:33:32.251091Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453364",
"nvdSeverity": "critical",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Use of Insufficiently Random Values",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010025)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22853)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010025"
],
"CWE": [
"CWE-330"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097"
},
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp%3Butm_medium=RSS"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010025"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
}
],
"creationTime": "2020-08-19T09:35:27.016766Z",
"modificationTime": "2020-08-19T13:35:28.490999Z",
"publicationTime": "2019-07-24T09:33:59.230537Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453579",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nGNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.\n\n## References\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1010024)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22852)\n- [Security Focus](http://www.securityfocus.com/bid/109162)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1010024"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://support.f5.com/csp/article/K06046097"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010024"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/109162"
}
],
"creationTime": "2020-08-19T09:35:29.520948Z",
"modificationTime": "2020-08-19T13:36:54.308319Z",
"publicationTime": "2019-07-24T09:44:44.882448Z",
"disclosureTime": "2019-07-15T04:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-453766",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nOn the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-19126)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25204)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-19126"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 3.3,
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-19126"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/"
},
{
"title": "Fedora Security Update",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25204"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126"
}
],
"creationTime": "2020-08-19T09:36:11.418236Z",
"modificationTime": "2020-08-19T13:37:12.264542Z",
"publicationTime": "2019-11-20T10:34:14.402456Z",
"disclosureTime": "2019-11-19T22:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-534996",
"nvdSeverity": "low",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-Bounds",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.\n\n## References\n- [ADVISORY](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10029)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-10029)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTFUD5VH2GU3YOXA2KBQSBIDZRDWNZ3/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU5JJGENOK7K4X5RYAA5PL647C6HD22E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/23N76M3EDP2GIW4GOIQRYTKRE7PPBRB2/)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25487)\n- [MISC](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=9333498794cde1d5cca518badf79533a24114b6f)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200327-0003/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-10029"
],
"CWE": [
"CWE-119"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.5,
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10029"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-10029"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTFUD5VH2GU3YOXA2KBQSBIDZRDWNZ3/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU5JJGENOK7K4X5RYAA5PL647C6HD22E/"
},
{
"title": "Fedora Security Update",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/23N76M3EDP2GIW4GOIQRYTKRE7PPBRB2/"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25487"
},
{
"title": "MISC",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commit%3Bh=9333498794cde1d5cca518badf79533a24114b6f"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200327-0003/"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
}
],
"creationTime": "2020-08-19T09:36:38.031284Z",
"modificationTime": "2020-08-19T13:35:51.702733Z",
"publicationTime": "2020-03-04T19:23:06.877128Z",
"disclosureTime": "2020-03-04T15:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559182",
"nvdSeverity": "medium",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Out-of-bounds Write",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.\n\n## References\n- [ADVISORY](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-1751)\n- [GENTOO](https://security.gentoo.org/glsa/202006-04)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25423)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200430-0002/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-1751"
],
"CWE": [
"CWE-787"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7,
"CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-1751"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-04"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25423"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200430-0002/"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
}
],
"creationTime": "2020-08-19T09:36:38.582570Z",
"modificationTime": "2020-08-19T13:27:06.154738Z",
"publicationTime": "2020-03-07T09:28:25.311127Z",
"disclosureTime": "2020-04-17T19:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559491",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Use After Free",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nA use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.\n\n## References\n- [CONFIRM](https://sourceware.org/bugzilla/show_bug.cgi?id=25414)\n- [CONFIRM](https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-1752)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200511-0005/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752)\n- [UBUNTU](https://usn.ubuntu.com/4416-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-1752"
],
"CWE": [
"CWE-416"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"cvssScore": 7,
"CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "CONFIRM",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25414"
},
{
"title": "CONFIRM",
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-1752"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20200511-0005/"
},
{
"title": "RedHat Bugzilla Bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4416-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752"
}
],
"creationTime": "2020-08-19T09:36:38.539517Z",
"modificationTime": "2020-08-19T13:34:55.539347Z",
"publicationTime": "2020-03-07T09:28:24.292716Z",
"disclosureTime": "2020-04-30T17:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-559495",
"nvdSeverity": "high",
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Integer Underflow",
"credit": [
""
],
"packageName": "glibc",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nAn exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2020-6096)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=25620)\n- [MISC](https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2020-6096"
],
"CWE": [
"CWE-191"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 8.1,
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2020-6096"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/"
},
{
"title": "MISC",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25620"
},
{
"title": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019"
}
],
"creationTime": "2020-08-19T09:36:43.808661Z",
"modificationTime": "2020-08-19T13:38:32.204283Z",
"publicationTime": "2020-04-02T10:24:04.497109Z",
"disclosureTime": "2020-04-01T22:15:00Z",
"id": "SNYK-DEBIAN9-GLIBC-564230",
"nvdSeverity": "high",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"glibc/libc6@2.24-11+deb9u4"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "glibc/libc6",
"version": "2.24-11+deb9u4"
},
{
"title": "Cryptographic Issues",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2007-6755"
],
"CWE": [
"CWE-310"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.4,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2007-6755"
},
{
"title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/",
"url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/"
},
{
"title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html",
"url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html"
},
{
"title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html",
"url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html"
},
{
"title": "http://rump2007.cr.yp.to/15-shumow.pdf",
"url": "http://rump2007.cr.yp.to/15-shumow.pdf"
},
{
"title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/",
"url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/"
},
{
"title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html",
"url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html"
},
{
"title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect",
"url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/63657"
}
],
"creationTime": "2020-08-19T09:23:31.721887Z",
"modificationTime": "2020-08-19T13:31:19.869332Z",
"publicationTime": "2013-10-11T22:55:00Z",
"disclosureTime": "2013-10-11T22:55:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-374708",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl/libssl1.1",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Cryptographic Issues",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.osvdb.org/62808](http://www.osvdb.org/62808)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-0928"
],
"CWE": [
"CWE-310"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.1,
"CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-0928"
},
{
"title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/",
"url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/"
},
{
"title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf",
"url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf"
},
{
"title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html",
"url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html"
},
{
"title": "http://www.osvdb.org/62808",
"url": "http://www.osvdb.org/62808"
},
{
"title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/",
"url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/"
},
{
"title": "http://xforce.iss.net/xforce/xfdb/56750",
"url": "http://xforce.iss.net/xforce/xfdb/56750"
},
{
"title": "X-force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"
}
],
"creationTime": "2020-08-19T09:30:53.396991Z",
"modificationTime": "2020-08-19T13:28:20.872020Z",
"publicationTime": "2010-03-05T19:30:00Z",
"disclosureTime": "2010-03-05T19:30:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-374995",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl/libssl1.1",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1551"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},
{
"title": "Bugtraq Mailing List",
"url": "https://seclists.org/bugtraq/2019/Dec/39"
},
{
"title": "Bugtraq Mailing List",
"url": "https://seclists.org/bugtraq/2019/Dec/46"
},
{
"title": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f"
},
{
"title": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98"
},
{
"title": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"title": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2020-03"
},
{
"title": "Debian Security Advisory",
"url": "https://www.debian.org/security/2019/dsa-4594"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1551"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202004-10"
},
{
"title": "MISC",
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},
{
"title": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
},
{
"title": "OpenSSL Security Advisory",
"url": "https://www.openssl.org/news/secadv/20191206.txt"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4376-1/"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4504-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551"
}
],
"creationTime": "2020-08-19T09:36:15.849675Z",
"modificationTime": "2020-08-19T13:27:46.325432Z",
"publicationTime": "2019-12-06T18:58:11.603400Z",
"disclosureTime": "2019-12-06T18:15:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-536850",
"nvdSeverity": "medium",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl/libssl1.1@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl/libssl1.1",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Cryptographic Issues",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2007-6755"
],
"CWE": [
"CWE-310"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.4,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2007-6755"
},
{
"title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/",
"url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/"
},
{
"title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html",
"url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html"
},
{
"title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html",
"url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html"
},
{
"title": "http://rump2007.cr.yp.to/15-shumow.pdf",
"url": "http://rump2007.cr.yp.to/15-shumow.pdf"
},
{
"title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/",
"url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/"
},
{
"title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html",
"url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html"
},
{
"title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect",
"url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/63657"
}
],
"creationTime": "2020-08-19T09:23:31.721887Z",
"modificationTime": "2020-08-19T13:31:19.869332Z",
"publicationTime": "2013-10-11T22:55:00Z",
"disclosureTime": "2013-10-11T22:55:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-374708",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"openssl/libssl1.1@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl/libssl1.1",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Cryptographic Issues",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.osvdb.org/62808](http://www.osvdb.org/62808)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-0928"
],
"CWE": [
"CWE-310"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.1,
"CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-0928"
},
{
"title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/",
"url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/"
},
{
"title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf",
"url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf"
},
{
"title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html",
"url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html"
},
{
"title": "http://www.osvdb.org/62808",
"url": "http://www.osvdb.org/62808"
},
{
"title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/",
"url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/"
},
{
"title": "http://xforce.iss.net/xforce/xfdb/56750",
"url": "http://xforce.iss.net/xforce/xfdb/56750"
},
{
"title": "X-force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"
}
],
"creationTime": "2020-08-19T09:30:53.396991Z",
"modificationTime": "2020-08-19T13:28:20.872020Z",
"publicationTime": "2010-03-05T19:30:00Z",
"disclosureTime": "2010-03-05T19:30:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-374995",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"openssl/libssl1.1@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl/libssl1.1",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1551"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},
{
"title": "Bugtraq Mailing List",
"url": "https://seclists.org/bugtraq/2019/Dec/39"
},
{
"title": "Bugtraq Mailing List",
"url": "https://seclists.org/bugtraq/2019/Dec/46"
},
{
"title": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f"
},
{
"title": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98"
},
{
"title": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"title": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2020-03"
},
{
"title": "Debian Security Advisory",
"url": "https://www.debian.org/security/2019/dsa-4594"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1551"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202004-10"
},
{
"title": "MISC",
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},
{
"title": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
},
{
"title": "OpenSSL Security Advisory",
"url": "https://www.openssl.org/news/secadv/20191206.txt"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4376-1/"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4504-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551"
}
],
"creationTime": "2020-08-19T09:36:15.849675Z",
"modificationTime": "2020-08-19T13:27:46.325432Z",
"publicationTime": "2019-12-06T18:58:11.603400Z",
"disclosureTime": "2019-12-06T18:15:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-536850",
"nvdSeverity": "medium",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1",
"openssl/libssl1.1@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl/libssl1.1",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Cryptographic Issues",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2007-6755"
],
"CWE": [
"CWE-310"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.4,
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2007-6755"
},
{
"title": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/",
"url": "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/"
},
{
"title": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html",
"url": "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html"
},
{
"title": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html",
"url": "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html"
},
{
"title": "http://rump2007.cr.yp.to/15-shumow.pdf",
"url": "http://rump2007.cr.yp.to/15-shumow.pdf"
},
{
"title": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/",
"url": "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/"
},
{
"title": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html",
"url": "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html"
},
{
"title": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect",
"url": "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect"
},
{
"title": "Security Focus",
"url": "http://www.securityfocus.com/bid/63657"
}
],
"creationTime": "2020-08-19T09:23:31.721887Z",
"modificationTime": "2020-08-19T13:31:19.869332Z",
"publicationTime": "2013-10-11T22:55:00Z",
"disclosureTime": "2013-10-11T22:55:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-374708",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Cryptographic Issues",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.osvdb.org/62808](http://www.osvdb.org/62808)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2010-0928"
],
"CWE": [
"CWE-310"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.1,
"CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"patches": [],
"references": [
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-0928"
},
{
"title": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/",
"url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/"
},
{
"title": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf",
"url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf"
},
{
"title": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html",
"url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html"
},
{
"title": "http://www.osvdb.org/62808",
"url": "http://www.osvdb.org/62808"
},
{
"title": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/",
"url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/"
},
{
"title": "http://xforce.iss.net/xforce/xfdb/56750",
"url": "http://xforce.iss.net/xforce/xfdb/56750"
},
{
"title": "X-force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"
}
],
"creationTime": "2020-08-19T09:30:53.396991Z",
"modificationTime": "2020-08-19T13:28:20.872020Z",
"publicationTime": "2010-03-05T19:30:00Z",
"disclosureTime": "2010-03-05T19:30:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-374995",
"nvdSeverity": "medium",
"relativeImportance": "unimportant",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl",
"version": "1.1.0l-1~deb9u1"
},
{
"title": "Information Exposure",
"credit": [
""
],
"packageName": "openssl",
"language": "linux",
"packageManager": "debian:9",
"description": "## Overview\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2019-1551"
],
"CWE": [
"CWE-200"
]
},
"severity": "low",
"severityWithCritical": "low",
"cvssScore": 5.3,
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"patches": [],
"references": [
{
"title": "ADVISORY",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
},
{
"title": "Bugtraq Mailing List",
"url": "https://seclists.org/bugtraq/2019/Dec/39"
},
{
"title": "Bugtraq Mailing List",
"url": "https://seclists.org/bugtraq/2019/Dec/46"
},
{
"title": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f"
},
{
"title": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98"
},
{
"title": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"title": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2020-03"
},
{
"title": "Debian Security Advisory",
"url": "https://www.debian.org/security/2019/dsa-4594"
},
{
"title": "Debian Security Tracker",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-1551"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
},
{
"title": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
},
{
"title": "GENTOO",
"url": "https://security.gentoo.org/glsa/202004-10"
},
{
"title": "MISC",
"url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
},
{
"title": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"title": "Netapp Security Advisory",
"url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
},
{
"title": "OpenSSL Security Advisory",
"url": "https://www.openssl.org/news/secadv/20191206.txt"
},
{
"title": "OpenSuse Security Announcement",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4376-1/"
},
{
"title": "UBUNTU",
"url": "https://usn.ubuntu.com/4504-1/"
},
{
"title": "Ubuntu CVE Tracker",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551"
}
],
"creationTime": "2020-08-19T09:36:15.849675Z",
"modificationTime": "2020-08-19T13:27:46.325432Z",
"publicationTime": "2019-12-06T18:58:11.603400Z",
"disclosureTime": "2019-12-06T18:15:00Z",
"id": "SNYK-DEBIAN9-OPENSSL-536850",
"nvdSeverity": "medium",
"relativeImportance": "low",
"semver": {
"vulnerable": [
"*"
]
},
"exploit": "Not Defined",
"from": [
"docker-image|gcr.io/distroless/base@latest",
"openssl@1.1.0l-1~deb9u1"
],
"upgradePath": [],
"isUpgradable": false,
"isPatchable": false,
"name": "openssl",
"version": "1.1.0l-1~deb9u1"
}
],
"ok": false,
"dependencyCount": 6,
"org": "garethr",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.19.0\nignore: {}\npatch: {}\n",
"isPrivate": true,
"licensesPolicy": {
"severities": {},
"orgLicenseRules": {
"AGPL-1.0": {
"licenseType": "AGPL-1.0",
"severity": "high",
"instructions": ""
},
"AGPL-3.0": {
"licenseType": "AGPL-3.0",
"severity": "high",
"instructions": ""
},
"Artistic-1.0": {
"licenseType": "Artistic-1.0",
"severity": "medium",
"instructions": ""
},
"Artistic-2.0": {
"licenseType": "Artistic-2.0",
"severity": "medium",
"instructions": ""
},
"CDDL-1.0": {
"licenseType": "CDDL-1.0",
"severity": "medium",
"instructions": ""
},
"CPOL-1.02": {
"licenseType": "CPOL-1.02",
"severity": "high",
"instructions": ""
},
"GPL-2.0": {
"licenseType": "GPL-2.0",
"severity": "high",
"instructions": ""
},
"GPL-3.0": {
"licenseType": "GPL-3.0",
"severity": "high",
"instructions": ""
},
"LGPL-2.0": {
"licenseType": "LGPL-2.0",
"severity": "medium",
"instructions": ""
},
"LGPL-2.1": {
"licenseType": "LGPL-2.1",
"severity": "medium",
"instructions": ""
},
"LGPL-2.1+": {
"licenseType": "LGPL-2.1+",
"severity": "medium",
"instructions": ""
},
"LGPL-3.0": {
"licenseType": "LGPL-3.0",
"severity": "medium",
"instructions": ""
},
"LGPL-3.0+": {
"licenseType": "LGPL-3.0+",
"severity": "medium",
"instructions": ""
},
"MPL-1.1": {
"licenseType": "MPL-1.1",
"severity": "medium",
"instructions": ""
},
"MS-RL": {
"licenseType": "MS-RL",
"severity": "medium",
"instructions": ""
},
"SimPL-2.0": {
"licenseType": "SimPL-2.0",
"severity": "high",
"instructions": ""
}
}
},
"packageManager": "deb",
"ignoreSettings": {
"adminOnly": false,
"reasonRequired": true,
"disregardFilesystemIgnores": false
},
"docker": {},
"summary": "84 vulnerable dependency paths",
"filesystemPolicy": false,
"filtered": {
"ignore": [],
"patch": []
},
"uniqueCount": 28,
"projectName": "docker-image|gcr.io/distroless/base",
"path": "gcr.io/distroless/base/distroless/base"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment