CVE-2017-14062 in base image debian:stretch-slim #14182
Comments
|
@jeff-cook What images did you have in mind? |
|
|
xlson
added a commit
to xlson/grafana
that referenced
this issue
Nov 26, 2018
xlson
added a commit
that referenced
this issue
Nov 26, 2018
|
I have just started adding Anchore-engine to my pipelines. I'll get a test setup for that build. |
|
@jeff-cook thanks! |
|
Still has HIGH Vulnerability found in os package type (dpkg) - libidn11 (CVE-2017-14062 - https://security-tracker.debian.org/tracker/CVE-2017-14062) It looks like maybe they are not going to fix it in stretch, but in buster.
|
|
Thanks for checking it out. Not sure if its worth going up to the yet
unreleased buster to fix this, my inclination would be to wait but we'll
see.
…On Mon, Nov 26, 2018 at 5:25 PM Jeff Cook ***@***.***> wrote:
Still has HIGH Vulnerability found in os package type (dpkg) - libidn11
(CVE-2017-14062 -
https://security-tracker.debian.org/tracker/CVE-2017-14062)
It looks like maybe they are not going to fix it in stretch, but in buster.
Source Package Release Version Status
libidn (PTS) jessie 1.29-1+deb8u2 vulnerable
jessie (security) 1.29-1+deb8u3 fixed
stretch 1.33-1 vulnerable
buster, sid 1.33-2.2 fixed
libidn2-0 (PTS) jessie (security), jessie 0.10-2+deb8u1 fixed
stretch (security), stretch 0.16-1+deb9u1 fixed
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#14182 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHA-bCdRRSFB_KpmDY8uC-4Nv4AfLVLks5uzBYTgaJpZM4YyNiW>
.
|
|
This is a showstopper for me - is there a plan to move to buster-slim? Or perhaps alpine? |
|
After digging a bit, I've found that there are quite a few open CVEs in the stretch-slim image:
I wonder if it would be feasible to publish an alpine based image, which doesn't have such a large surface area for vulnerabilities? |
|
@jsravn We will move to buster-slim when buster is stable. Alpine has been tried but from what I remember there were some problems that made it not work for us at that point. Alpine could definitely be an option though. For now I'd recommend building your own image if you need to move to buster ahead of the main Grafana image. You could even use the official Dockerfile and set the image to buster-slim (we recently made it possible to set image as argument to the build process). |
|
@xlson thanks for the info. I'm going to see if I can get it working on alpine. If not, I will build against buster-slim for now. |
|
@jsravn Good luck. Let me know how to goes. |
darrachequesne
pushed a commit
to adeo/grafana
that referenced
this issue
Jan 29, 2019
darrachequesne
pushed a commit
to adeo/grafana
that referenced
this issue
Jan 29, 2019
|
Here are a list of CVEs found using Clair "LastCheck": "2019-05-05T16:01:01.672261281Z",
"Image": "grafana/grafana:6.1.6",
"ScanStarted": false,
"Report": {
"unapproved": [
"CVE-2016-10739",
"CVE-2018-6551",
"CVE-2009-5155",
"CVE-2018-6485",
"CVE-2017-12132",
"CVE-2019-9169",
"CVE-2018-1000001",
"CVE-2017-14062",
"CVE-2016-2779",
"CVE-2019-3836",
"CVE-2019-3829",
"CVE-2011-3389",
"CVE-2018-1000858",
"CVE-2017-12424",
"CVE-2018-5710",
"CVE-2018-5730",
"CVE-2018-5729",
"CVE-2017-18078",
"CVE-2019-3844",
"CVE-2019-3843"
],
"vulnerabilities": [
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2018-1000001",
"namespace": "debian:9",
"description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1000001",
"severity": "High",
"fixedby": ""
},
{
"featurename": "shadow",
"featureversion": "1:4.4-4.1",
"vulnerability": "CVE-2017-12424",
"namespace": "debian:9",
"description": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-12424",
"severity": "High",
"fixedby": ""
},
{
"featurename": "util-linux",
"featureversion": "2.29.2-1+deb9u1",
"vulnerability": "CVE-2016-2779",
"namespace": "debian:9",
"description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"link": "https://security-tracker.debian.org/tracker/CVE-2016-2779",
"severity": "High",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2019-9169",
"namespace": "debian:9",
"description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-9169",
"severity": "High",
"fixedby": ""
},
{
"featurename": "libidn",
"featureversion": "1.33-1",
"vulnerability": "CVE-2017-14062",
"namespace": "debian:9",
"description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-14062",
"severity": "High",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2018-6551",
"namespace": "debian:9",
"description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-6551",
"severity": "High",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2018-6485",
"namespace": "debian:9",
"description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-6485",
"severity": "High",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2018-5730",
"namespace": "debian:9",
"description": "MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a \"linkdn\" and \"containerdn\" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-5730",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2009-5155",
"namespace": "debian:9",
"description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
"link": "https://security-tracker.debian.org/tracker/CVE-2009-5155",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "gnutls28",
"featureversion": "3.5.8-5+deb9u4",
"vulnerability": "CVE-2019-3829",
"namespace": "debian:9",
"description": "A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-3829",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "gnutls28",
"featureversion": "3.5.8-5+deb9u4",
"vulnerability": "CVE-2011-3389",
"namespace": "debian:9",
"description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.",
"link": "https://security-tracker.debian.org/tracker/CVE-2011-3389",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "gnutls28",
"featureversion": "3.5.8-5+deb9u4",
"vulnerability": "CVE-2019-3836",
"namespace": "debian:9",
"description": "It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-3836",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2017-12132",
"namespace": "debian:9",
"description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-12132",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2017-18078",
"namespace": "debian:9",
"description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-18078",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "gnupg2",
"featureversion": "2.1.18-8~deb9u4",
"vulnerability": "CVE-2018-1000858",
"namespace": "debian:9",
"description": "GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1000858",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2016-10739",
"namespace": "debian:9",
"description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
"link": "https://security-tracker.debian.org/tracker/CVE-2016-10739",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2019-3844",
"namespace": "debian:9",
"description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-3844",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2019-3843",
"namespace": "debian:9",
"description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-3843",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2018-5710",
"namespace": "debian:9",
"description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function \"strlen\" is getting a \"NULL\" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-5710",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2018-5729",
"namespace": "debian:9",
"description": "MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-5729",
"severity": "Medium",
"fixedby": ""
},
{
"featurename": "ncurses",
"featureversion": "6.0+20161126-1+deb9u2",
"vulnerability": "CVE-2018-10754",
"namespace": "debian:9",
"description": "In ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax. The product proceeds to the dereference code path even after a \"dubious character `[' in name or alias field\" detection.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-10754",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "shadow",
"featureversion": "1:4.4-4.1",
"vulnerability": "CVE-2018-7169",
"namespace": "debian:9",
"description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-7169",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "ncurses",
"featureversion": "6.0+20161126-1+deb9u2",
"vulnerability": "CVE-2018-19211",
"namespace": "debian:9",
"description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-19211",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "gnupg2",
"featureversion": "2.1.18-8~deb9u4",
"vulnerability": "CVE-2018-9234",
"namespace": "debian:9",
"description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-9234",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2018-20217",
"namespace": "debian:9",
"description": "A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-20217",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "openssl",
"featureversion": "1.1.0j-1~deb9u1",
"vulnerability": "CVE-2019-1543",
"namespace": "debian:9",
"description": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c-dev (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k-dev (Affected 1.1.0-1.1.0j).",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-1543",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "tar",
"featureversion": "1.29b-1.1",
"vulnerability": "CVE-2018-20482",
"namespace": "debian:9",
"description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-20482",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2018-6954",
"namespace": "debian:9",
"description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-6954",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "nghttp2",
"featureversion": "1.18.1-1",
"vulnerability": "CVE-2018-1000168",
"namespace": "debian:9",
"description": "nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1000168",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "coreutils",
"featureversion": "8.26-3",
"vulnerability": "CVE-2016-2781",
"namespace": "debian:9",
"description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
"link": "https://security-tracker.debian.org/tracker/CVE-2016-2781",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2016-10228",
"namespace": "debian:9",
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"link": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2018-16888",
"namespace": "debian:9",
"description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-16888",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "gnutls28",
"featureversion": "3.5.8-5+deb9u4",
"vulnerability": "CVE-2018-16868",
"namespace": "debian:9",
"description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-16868",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "nettle",
"featureversion": "3.3-1",
"vulnerability": "CVE-2018-16869",
"namespace": "debian:9",
"description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-16869",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2017-11462",
"namespace": "debian:9",
"description": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-11462",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "perl",
"featureversion": "5.24.1-3+deb9u5",
"vulnerability": "CVE-2011-4116",
"namespace": "debian:9",
"description": "",
"link": "https://security-tracker.debian.org/tracker/CVE-2011-4116",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "libpng1.6",
"featureversion": "1.6.28-1+deb9u1",
"vulnerability": "CVE-2019-6129",
"namespace": "debian:9",
"description": "** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don't think it is libpng's job to free this buffer.\"",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-6129",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "libgcrypt20",
"featureversion": "1.7.6-2+deb9u3",
"vulnerability": "CVE-2018-6829",
"namespace": "debian:9",
"description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-6829",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "tar",
"featureversion": "1.29b-1.1",
"vulnerability": "CVE-2019-9923",
"namespace": "debian:9",
"description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-9923",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "openssl",
"featureversion": "1.1.0j-1~deb9u1",
"vulnerability": "CVE-2010-0928",
"namespace": "debian:9",
"description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
"link": "https://security-tracker.debian.org/tracker/CVE-2010-0928",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "tar",
"featureversion": "1.29b-1.1",
"vulnerability": "CVE-2005-2541",
"namespace": "debian:9",
"description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.",
"link": "https://security-tracker.debian.org/tracker/CVE-2005-2541",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "apt",
"featureversion": "1.4.9",
"vulnerability": "CVE-2011-3374",
"namespace": "debian:9",
"description": "",
"link": "https://security-tracker.debian.org/tracker/CVE-2011-3374",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "openssl",
"featureversion": "1.1.0j-1~deb9u1",
"vulnerability": "CVE-2007-6755",
"namespace": "debian:9",
"description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.",
"link": "https://security-tracker.debian.org/tracker/CVE-2007-6755",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "libtasn1-6",
"featureversion": "4.10-1.1+deb9u1",
"vulnerability": "CVE-2018-1000654",
"namespace": "debian:9",
"description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1000654",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "shadow",
"featureversion": "1:4.4-4.1",
"vulnerability": "CVE-2007-5686",
"namespace": "debian:9",
"description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.",
"link": "https://security-tracker.debian.org/tracker/CVE-2007-5686",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "shadow",
"featureversion": "1:4.4-4.1",
"vulnerability": "CVE-2013-4235",
"namespace": "debian:9",
"description": "",
"link": "https://security-tracker.debian.org/tracker/CVE-2013-4235",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "openldap",
"featureversion": "2.4.44+dfsg-5+deb9u2",
"vulnerability": "CVE-2017-17740",
"namespace": "debian:9",
"description": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-17740",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "openldap",
"featureversion": "2.4.44+dfsg-5+deb9u2",
"vulnerability": "CVE-2015-3276",
"namespace": "debian:9",
"description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.",
"link": "https://security-tracker.debian.org/tracker/CVE-2015-3276",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "pcre3",
"featureversion": "2:8.39-3",
"vulnerability": "CVE-2017-7246",
"namespace": "debian:9",
"description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-7246",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "pcre3",
"featureversion": "2:8.39-3",
"vulnerability": "CVE-2017-7245",
"namespace": "debian:9",
"description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-7245",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "pcre3",
"featureversion": "2:8.39-3",
"vulnerability": "CVE-2017-16231",
"namespace": "debian:9",
"description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-16231",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "pcre3",
"featureversion": "2:8.39-3",
"vulnerability": "CVE-2017-11164",
"namespace": "debian:9",
"description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-11164",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "libpng1.6",
"featureversion": "1.6.28-1+deb9u1",
"vulnerability": "CVE-2018-14550",
"namespace": "debian:9",
"description": "",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-14550",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "openldap",
"featureversion": "2.4.44+dfsg-5+deb9u2",
"vulnerability": "CVE-2017-14159",
"namespace": "debian:9",
"description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-14159",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2013-4392",
"namespace": "debian:9",
"description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.",
"link": "https://security-tracker.debian.org/tracker/CVE-2013-4392",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2004-0971",
"namespace": "debian:9",
"description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.",
"link": "https://security-tracker.debian.org/tracker/CVE-2004-0971",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2017-15088",
"namespace": "debian:9",
"description": "plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-15088",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "expat",
"featureversion": "2.2.0-2+deb9u1",
"vulnerability": "CVE-2013-0340",
"namespace": "debian:9",
"description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
"link": "https://security-tracker.debian.org/tracker/CVE-2013-0340",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2010-4052",
"namespace": "debian:9",
"description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
"link": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "krb5",
"featureversion": "1.15-1+deb9u1",
"vulnerability": "CVE-2018-5709",
"namespace": "debian:9",
"description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-5709",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2010-4756",
"namespace": "debian:9",
"description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
"link": "https://security-tracker.debian.org/tracker/CVE-2010-4756",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2019-9192",
"namespace": "debian:9",
"description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-9192",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2010-4051",
"namespace": "debian:9",
"description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
"link": "https://security-tracker.debian.org/tracker/CVE-2010-4051",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "coreutils",
"featureversion": "8.26-3",
"vulnerability": "CVE-2017-18018",
"namespace": "debian:9",
"description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-18018",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2018-20796",
"namespace": "debian:9",
"description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-20796",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2015-8985",
"namespace": "debian:9",
"description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
"link": "https://security-tracker.debian.org/tracker/CVE-2015-8985",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2017-1000082",
"namespace": "debian:9",
"description": "systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. \"0day\"), running the service in question with root privileges rather than the user intended.",
"link": "https://security-tracker.debian.org/tracker/CVE-2017-1000082",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2019-6488",
"namespace": "debian:9",
"description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-6488",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "glibc",
"featureversion": "2.24-11+deb9u4",
"vulnerability": "CVE-2019-7309",
"namespace": "debian:9",
"description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-7309",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "libpng1.6",
"featureversion": "1.6.28-1+deb9u1",
"vulnerability": "CVE-2018-14048",
"namespace": "debian:9",
"description": "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-14048",
"severity": "Negligible",
"fixedby": ""
},
{
"featurename": "systemd",
"featureversion": "232-25+deb9u11",
"vulnerability": "CVE-2019-9619",
"namespace": "debian:9",
"description": "",
"link": "https://security-tracker.debian.org/tracker/CVE-2019-9619",
"severity": "Unknown",
"fixedby": ""
}
]
}
} |
Closed
|
Update: we are working on replacing PhantomJS, which should enable us to move to |
|
Closed by #17066 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I do understand the vulnerability is in the debian:stretch-slim base image and not added by Grafana, however there are other debian base images that are not vulnerable to this issue. Any thoughts of changing the base image to a more updated version?
Please include this information:
What Grafana version are you using?
5.3.2
I have checked and the newest version is still using
FROM debian:stretch-slimWhat OS are you running grafana on?
debian:stretch-slim
What did you do?
Ran a vulnerability scan on the published Docker image.
What was the expected result?
No high Vulnerabilities found.
What happened instead?
The text was updated successfully, but these errors were encountered: