Analysing 3 layers Got results from Clair API v1 Found 86 vulnerabilities Unknown: 10 Negligible: 29 Low: 24 Medium: 14 High: 9 CVE-2020-10878: [High] Found in: perl [5.24.1-3+deb9u5] Fixed By: 5.24.1-3+deb9u7 Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. https://security-tracker.debian.org/tracker/CVE-2020-10878 ----------------------------------------- CVE-2017-14062: [High] Found in: libidn [1.33-1] Fixed By: 1.33-1+deb9u1 Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. https://security-tracker.debian.org/tracker/CVE-2017-14062 ----------------------------------------- CVE-2018-6551: [High] Found in: glibc [2.24-11+deb9u4] Fixed By: The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption. https://security-tracker.debian.org/tracker/CVE-2018-6551 ----------------------------------------- CVE-2019-9169: [High] Found in: glibc [2.24-11+deb9u4] Fixed By: In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. https://security-tracker.debian.org/tracker/CVE-2019-9169 ----------------------------------------- CVE-2018-6485: [High] Found in: glibc [2.24-11+deb9u4] Fixed By: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. https://security-tracker.debian.org/tracker/CVE-2018-6485 ----------------------------------------- CVE-2018-1000001: [High] Found in: glibc [2.24-11+deb9u4] Fixed By: In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. https://security-tracker.debian.org/tracker/CVE-2018-1000001 ----------------------------------------- CVE-2016-2779: [High] Found in: util-linux [2.29.2-1+deb9u1] Fixed By: runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. https://security-tracker.debian.org/tracker/CVE-2016-2779 ----------------------------------------- CVE-2017-12424: [High] Found in: shadow [1:4.4-4.1] Fixed By: 1:4.4-4.1+deb9u1 In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. https://security-tracker.debian.org/tracker/CVE-2017-12424 ----------------------------------------- CVE-2019-12900: [High] Found in: bzip2 [1.0.6-8.1] Fixed By: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. https://security-tracker.debian.org/tracker/CVE-2019-12900 ----------------------------------------- CVE-2020-12723: [Medium] Found in: perl [5.24.1-3+deb9u5] Fixed By: 5.24.1-3+deb9u7 regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. https://security-tracker.debian.org/tracker/CVE-2020-12723 ----------------------------------------- CVE-2020-10543: [Medium] Found in: perl [5.24.1-3+deb9u5] Fixed By: 5.24.1-3+deb9u7 Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. https://security-tracker.debian.org/tracker/CVE-2020-10543 ----------------------------------------- CVE-2019-12904: [Medium] Found in: libgcrypt20 [1.7.6-2+deb9u3] Fixed By: In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) https://security-tracker.debian.org/tracker/CVE-2019-12904 ----------------------------------------- CVE-2020-14155: [Medium] Found in: pcre3 [2:8.39-3] Fixed By: libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. https://security-tracker.debian.org/tracker/CVE-2020-14155 ----------------------------------------- CVE-2019-5188: [Medium] Found in: e2fsprogs [1.43.4-2] Fixed By: 1.43.4-2+deb9u2 A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. https://security-tracker.debian.org/tracker/CVE-2019-5188 ----------------------------------------- CVE-2019-5094: [Medium] Found in: e2fsprogs [1.43.4-2] Fixed By: 1.43.4-2+deb9u1 An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. https://security-tracker.debian.org/tracker/CVE-2019-5094 ----------------------------------------- CVE-2020-1751: [Medium] Found in: glibc [2.24-11+deb9u4] Fixed By: An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. https://security-tracker.debian.org/tracker/CVE-2020-1751 ----------------------------------------- CVE-2017-12132: [Medium] Found in: glibc [2.24-11+deb9u4] Fixed By: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. https://security-tracker.debian.org/tracker/CVE-2017-12132 ----------------------------------------- CVE-2009-5155: [Medium] Found in: glibc [2.24-11+deb9u4] Fixed By: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. https://security-tracker.debian.org/tracker/CVE-2009-5155 ----------------------------------------- CVE-2016-10739: [Medium] Found in: glibc [2.24-11+deb9u4] Fixed By: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. https://security-tracker.debian.org/tracker/CVE-2016-10739 ----------------------------------------- CVE-2020-3810: [Medium] Found in: apt [1.4.9] Fixed By: 1.4.10 Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files. https://security-tracker.debian.org/tracker/CVE-2020-3810 ----------------------------------------- CVE-2018-12886: [Medium] Found in: gcc-6 [6.3.0-18+deb9u1] Fixed By: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. https://security-tracker.debian.org/tracker/CVE-2018-12886 ----------------------------------------- CVE-2018-16062: [Medium] Found in: elfutils [0.168-1] Fixed By: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. https://security-tracker.debian.org/tracker/CVE-2018-16062 ----------------------------------------- CVE-2018-18310: [Medium] Found in: elfutils [0.168-1] Fixed By: An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. https://security-tracker.debian.org/tracker/CVE-2018-18310 ----------------------------------------- CVE-2019-13627: [Low] Found in: libgcrypt20 [1.7.6-2+deb9u3] Fixed By: It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. https://security-tracker.debian.org/tracker/CVE-2019-13627 ----------------------------------------- CVE-2019-17543: [Low] Found in: lz4 [0.0~r131-2] Fixed By: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." https://security-tracker.debian.org/tracker/CVE-2019-17543 ----------------------------------------- CVE-2018-16869: [Low] Found in: nettle [3.3-1] Fixed By: A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. https://security-tracker.debian.org/tracker/CVE-2018-16869 ----------------------------------------- CVE-2019-17595: [Low] Found in: ncurses [6.0+20161126-1+deb9u2] Fixed By: There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. https://security-tracker.debian.org/tracker/CVE-2019-17595 ----------------------------------------- CVE-2019-17594: [Low] Found in: ncurses [6.0+20161126-1+deb9u2] Fixed By: There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. https://security-tracker.debian.org/tracker/CVE-2019-17594 ----------------------------------------- CVE-2018-19211: [Low] Found in: ncurses [6.0+20161126-1+deb9u2] Fixed By: In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection. https://security-tracker.debian.org/tracker/CVE-2018-19211 ----------------------------------------- CVE-2020-10029: [Low] Found in: glibc [2.24-11+deb9u4] Fixed By: The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. https://security-tracker.debian.org/tracker/CVE-2020-10029 ----------------------------------------- CVE-2016-10228: [Low] Found in: glibc [2.24-11+deb9u4] Fixed By: The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. https://security-tracker.debian.org/tracker/CVE-2016-10228 ----------------------------------------- CVE-2020-1752: [Low] Found in: glibc [2.24-11+deb9u4] Fixed By: A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. https://security-tracker.debian.org/tracker/CVE-2020-1752 ----------------------------------------- CVE-2019-19126: [Low] Found in: glibc [2.24-11+deb9u4] Fixed By: On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. https://security-tracker.debian.org/tracker/CVE-2019-19126 ----------------------------------------- CVE-2020-6096: [Low] Found in: glibc [2.24-11+deb9u4] Fixed By: An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. https://security-tracker.debian.org/tracker/CVE-2020-6096 ----------------------------------------- CVE-2019-14855: [Low] Found in: gnupg2 [2.1.18-8~deb9u4] Fixed By: A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. https://security-tracker.debian.org/tracker/CVE-2019-14855 ----------------------------------------- CVE-2018-9234: [Low] Found in: gnupg2 [2.1.18-8~deb9u4] Fixed By: GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. https://security-tracker.debian.org/tracker/CVE-2018-9234 ----------------------------------------- CVE-2018-7169: [Low] Found in: shadow [1:4.4-4.1] Fixed By: An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. https://security-tracker.debian.org/tracker/CVE-2018-7169 ----------------------------------------- CVE-2018-20482: [Low] Found in: tar [1.29b-1.1] Fixed By: GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). https://security-tracker.debian.org/tracker/CVE-2018-20482 ----------------------------------------- CVE-2016-2781: [Low] Found in: coreutils [8.26-3] Fixed By: chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. https://security-tracker.debian.org/tracker/CVE-2016-2781 ----------------------------------------- CVE-2019-7150: [Low] Found in: elfutils [0.168-1] Fixed By: An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. https://security-tracker.debian.org/tracker/CVE-2019-7150 ----------------------------------------- CVE-2019-7664: [Low] Found in: elfutils [0.168-1] Fixed By: In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). https://security-tracker.debian.org/tracker/CVE-2019-7664 ----------------------------------------- CVE-2019-7149: [Low] Found in: elfutils [0.168-1] Fixed By: A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm. https://security-tracker.debian.org/tracker/CVE-2019-7149 ----------------------------------------- CVE-2018-16403: [Low] Found in: elfutils [0.168-1] Fixed By: libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. https://security-tracker.debian.org/tracker/CVE-2018-16403 ----------------------------------------- CVE-2018-16402: [Low] Found in: elfutils [0.168-1] Fixed By: libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice. https://security-tracker.debian.org/tracker/CVE-2018-16402 ----------------------------------------- CVE-2019-7665: [Low] Found in: elfutils [0.168-1] Fixed By: In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. https://security-tracker.debian.org/tracker/CVE-2019-7665 ----------------------------------------- CVE-2018-18521: [Low] Found in: elfutils [0.168-1] Fixed By: Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. https://security-tracker.debian.org/tracker/CVE-2018-18521 ----------------------------------------- CVE-2018-18520: [Low] Found in: elfutils [0.168-1] Fixed By: An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. https://security-tracker.debian.org/tracker/CVE-2018-18520 -----------------------------------------