-
-
Save jgsqware/694e9b92dcdaddb88adf to your computer and use it in GitHub Desktop.
Clair Json Report
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "ID": "sha256:d89e1bee20d9cb344674e213b581f14fbd8e70274ecf9d10c514bab78a307845", | |
| "ImageName": "jgsqware/ubuntu-git:latest", | |
| "Vulnerabilities": [ | |
| { | |
| "ID": "CVE-2015-1865", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-1865", | |
| "Priority": "Low", | |
| "Description": "\"time of check to time of use\" race condition fts.c", | |
| "CausedByPackage": "coreutils" | |
| }, | |
| { | |
| "ID": "CVE-2014-8121", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-8121", | |
| "Priority": "Medium", | |
| "Description": "DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over the database, which triggers the file pointer to be reset.", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2015-5277", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-5277", | |
| "Priority": "High", | |
| "Description": "The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2015-5180", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-5180", | |
| "Priority": "Low", | |
| "Description": "DNS resolver NULL pointer dereference with crafted record type", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2014-9761", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9761", | |
| "Priority": "Low", | |
| "Description": "nan function unbounded stack allocation", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2015-1781", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-1781", | |
| "Priority": "Medium", | |
| "Description": "Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer.", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2015-8776", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8776", | |
| "Priority": "Low", | |
| "Description": "Passing out of range data to strftime() causes a segfault", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2015-8778", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8778", | |
| "Priority": "Low", | |
| "Description": "hcreate((size_t)-1) should fail with ENOMEM", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2015-8777", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8777", | |
| "Priority": "Low", | |
| "Description": "The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2015-8779", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8779", | |
| "Priority": "Low", | |
| "Description": "catopen() Multiple unbounded stack allocations", | |
| "CausedByPackage": "eglibc" | |
| }, | |
| { | |
| "ID": "CVE-2014-2524", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-2524", | |
| "Priority": "Low", | |
| "Description": "The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.", | |
| "CausedByPackage": "readline6" | |
| }, | |
| { | |
| "ID": "CVE-2015-8239", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8239", | |
| "Priority": "Medium", | |
| "Description": "race condition checking digests/checksums in sudoers", | |
| "CausedByPackage": "sudo" | |
| }, | |
| { | |
| "ID": "CVE-2015-5602", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-5602", | |
| "Priority": "High", | |
| "Description": "sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by \"/home/*/*/file.txt.\"", | |
| "CausedByPackage": "sudo" | |
| }, | |
| { | |
| "ID": "CVE-2015-7575", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-7575", | |
| "Priority": "Medium", | |
| "Description": "Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.", | |
| "CausedByPackage": "gnutls26" | |
| }, | |
| { | |
| "ID": "CVE-2014-8625", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-8625", | |
| "Priority": "Medium", | |
| "Description": "Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.", | |
| "CausedByPackage": "dpkg" | |
| }, | |
| { | |
| "ID": "CVE-2014-2667", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-2667", | |
| "Priority": "Low", | |
| "Description": "Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.", | |
| "CausedByPackage": "python3.4" | |
| }, | |
| { | |
| "ID": "CVE-2015-1197", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-1197", | |
| "Priority": "Low", | |
| "Description": "cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.", | |
| "CausedByPackage": "cpio" | |
| }, | |
| { | |
| "ID": "CVE-2016-2037", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2016-2037", | |
| "Priority": "Medium", | |
| "Description": "out-of-bounds write with cpio 2.11", | |
| "CausedByPackage": "cpio" | |
| }, | |
| { | |
| "ID": "CVE-2015-7974", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-7974", | |
| "Priority": "Low", | |
| "Description": "NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a \"skeleton key.\"", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-7973", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-7973", | |
| "Priority": "Low", | |
| "Description": "Deja Vu: Replay attack on authenticated broadcast mode", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-7976", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-7976", | |
| "Priority": "Low", | |
| "Description": "ntpq saveconfig command allows dangerous characters in filenames", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-8158", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8158", | |
| "Priority": "Low", | |
| "Description": "Potential Infinite Loop in ntpq", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-7978", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-7978", | |
| "Priority": "Medium", | |
| "Description": "Stack exhaustion in recursive traversal of restriction list", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-7977", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-7977", | |
| "Priority": "Medium", | |
| "Description": "reslist NULL pointer dereference", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-8140", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8140", | |
| "Priority": "Low", | |
| "Description": "ntpq vulnerable to replay attacks", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-8139", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8139", | |
| "Priority": "Low", | |
| "Description": "Origin Leak: ntpq and ntpdc, disclose origin", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2016-0727", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2016-0727", | |
| "Priority": "Low", | |
| "Description": "NTP statsdir cleanup cronjob insecure", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-7979", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-7979", | |
| "Priority": "Low", | |
| "Description": "Off-path Denial of Service (DoS) attack on authenticated broadcast mode", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2015-8138", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8138", | |
| "Priority": "Medium", | |
| "Description": "ntp: missing check for zero originate timestamp", | |
| "CausedByPackage": "ntp" | |
| }, | |
| { | |
| "ID": "CVE-2016-1283", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2016-1283", | |
| "Priority": "High", | |
| "Description": "The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\\\"){99}-))(?J)(?'R'(?'R'\u003c((?'RR'(?'R'\\){97)?J)?J)(?'R'(?'R'\\){99|(:(?|(?'R')(\\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-2327", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-2327", | |
| "Priority": "High", | |
| "Description": "PCRE before 8.36 mishandles the /(((a\\2)|(a*)\\g\u003c-1\u003e))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8386", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8386", | |
| "Priority": "High", | |
| "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8387", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8387", | |
| "Priority": "High", | |
| "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8393", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8393", | |
| "Priority": "Medium", | |
| "Description": "pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8382", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8382", | |
| "Priority": "Medium", | |
| "Description": "The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8380", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8380", | |
| "Priority": "High", | |
| "Description": "The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \\01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8394", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8394", | |
| "Priority": "High", | |
| "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8390", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8390", | |
| "Priority": "High", | |
| "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-2328", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-2328", | |
| "Priority": "High", | |
| "Description": "PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-8391", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8391", | |
| "Priority": "High", | |
| "Description": "The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", | |
| "CausedByPackage": "pcre3" | |
| }, | |
| { | |
| "ID": "CVE-2015-0245", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-0245", | |
| "Priority": "Low", | |
| "Description": "D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.", | |
| "CausedByPackage": "dbus" | |
| }, | |
| { | |
| "ID": "CVE-2013-0157", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2013-0157", | |
| "Priority": "Low", | |
| "Description": "(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.", | |
| "CausedByPackage": "util-linux" | |
| }, | |
| { | |
| "ID": "CVE-2014-9114", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9114", | |
| "Priority": "Low", | |
| "Description": "blkid command injection", | |
| "CausedByPackage": "util-linux" | |
| }, | |
| { | |
| "ID": "CVE-2015-8472", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8472", | |
| "Priority": "High", | |
| "Description": "Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.", | |
| "CausedByPackage": "libpng" | |
| }, | |
| { | |
| "ID": "CVE-2015-8540", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8540", | |
| "Priority": "Medium", | |
| "Description": "underflow read in png_check_keyword in pngwutil.c", | |
| "CausedByPackage": "libpng" | |
| }, | |
| { | |
| "ID": "CVE-2014-4330", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-4330", | |
| "Priority": "Low", | |
| "Description": "The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.", | |
| "CausedByPackage": "perl" | |
| }, | |
| { | |
| "ID": "CVE-2013-7422", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2013-7422", | |
| "Priority": "High", | |
| "Description": "Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.", | |
| "CausedByPackage": "perl" | |
| }, | |
| { | |
| "ID": "CVE-2014-9621", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9621", | |
| "Priority": "Medium", | |
| "Description": "The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.", | |
| "CausedByPackage": "file" | |
| }, | |
| { | |
| "ID": "CVE-2014-9653", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9653", | |
| "Priority": "High", | |
| "Description": "readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.", | |
| "CausedByPackage": "file" | |
| }, | |
| { | |
| "ID": "CVE-2014-9620", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9620", | |
| "Priority": "Medium", | |
| "Description": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.", | |
| "CausedByPackage": "file" | |
| }, | |
| { | |
| "ID": "CVE-2015-8605", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-8605", | |
| "Priority": "Medium", | |
| "Description": "ISC DHCP 4.x before 4.1-ESV-R12-P1 and 4.2.x and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.", | |
| "CausedByPackage": "isc-dhcp" | |
| }, | |
| { | |
| "ID": "CVE-2015-5276", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-5276", | |
| "Priority": "Medium", | |
| "Description": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.", | |
| "CausedByPackage": "gcc-4.8" | |
| }, | |
| { | |
| "ID": "CVE-2014-5044", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-5044", | |
| "Priority": "Low", | |
| "Description": "Array memory allocations could cause an integer overflow and thus memory overflow issues at runtime.", | |
| "CausedByPackage": "gcc-4.8" | |
| }, | |
| { | |
| "ID": "CVE-2014-9645", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9645", | |
| "Priority": "Low", | |
| "Description": "modprobe wrongly accepts paths as module names", | |
| "CausedByPackage": "busybox" | |
| }, | |
| { | |
| "ID": "CVE-2011-5325", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2011-5325", | |
| "Priority": "Medium", | |
| "Description": "path traversal vulnerability in busybox tar", | |
| "CausedByPackage": "busybox" | |
| }, | |
| { | |
| "ID": "CVE-2013-7041", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2013-7041", | |
| "Priority": "Low", | |
| "Description": "The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack.", | |
| "CausedByPackage": "pam" | |
| }, | |
| { | |
| "ID": "CVE-2015-3238", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2015-3238", | |
| "Priority": "Medium", | |
| "Description": "The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password.", | |
| "CausedByPackage": "pam" | |
| }, | |
| { | |
| "ID": "CVE-2014-2583", | |
| "Link": "https://security-tracker.debian.org/tracker/CVE-2014-2583", | |
| "Priority": "Low", | |
| "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.", | |
| "CausedByPackage": "pam" | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment