merge to development

[nam20485]

No description provided.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
unknown/vcpkg/abseil:x64-windows	20230125.3	Unknown	Unknown
unknown/vcpkg/boost-algorithm:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-align:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-array:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-asio:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-assert:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-bind:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-build:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-chrono:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-concept-check:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-config:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-container-hash:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-container:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-context:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-conversion:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-core:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-coroutine:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-date-time:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-describe:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-detail:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-exception:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-function-types:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-function:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-functional:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-fusion:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-integer:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-intrusive:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-io:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-iterator:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-lexical-cast:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-modular-build-helper:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-move:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-mp11:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-mpl:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-numeric-conversion:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-optional:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-pool:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-predef:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-preprocessor:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-range:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-ratio:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-rational:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-regex:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-smart-ptr:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-static-assert:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-system:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-throw-exception:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-tokenizer:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-tuple:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-type-traits:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-typeof:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-uninstall:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-unordered:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-utility:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-variant2:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-vcpkg-helpers:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/boost-winapi:x64-windows	1.82.0	Unknown	Unknown
unknown/vcpkg/bzip2:x64-windows	1.0.8	Unknown	Unknown
unknown/vcpkg/c-ares:x64-windows	1.19.0	Unknown	Unknown
unknown/vcpkg/crow:x64-windows	1.0-5	Unknown	Unknown
unknown/vcpkg/grpc:x64-windows	1.51.1	Unknown	Unknown
unknown/vcpkg/libarchive:x64-windows	3.6.2	Unknown	Unknown
unknown/vcpkg/libiconv:x64-windows	1.17	Unknown	Unknown
unknown/vcpkg/liblzma:x64-windows	5.4.1	Unknown	Unknown
unknown/vcpkg/libxml2:x64-windows	2.10.3	Unknown	Unknown
unknown/vcpkg/lz4:x64-windows	1.9.4	Unknown	Unknown
unknown/vcpkg/openssl:x64-windows	3.1.1	Unknown	Unknown
unknown/vcpkg/protobuf:x64-windows	3.21.12	Unknown	Unknown
unknown/vcpkg/re2:x64-windows	2023-02-01	Unknown	Unknown
unknown/vcpkg/upb:x64-windows	2022-06-21	Unknown	Unknown
unknown/vcpkg/vcpkg-cmake-config:x64-windows	2022-02-06	Unknown	Unknown
unknown/vcpkg/vcpkg-cmake-get-vars:x64-windows	2023-03-02	Unknown	Unknown
unknown/vcpkg/vcpkg-cmake:x64-windows	2023-05-04	Unknown	Unknown
unknown/vcpkg/zlib:x64-windows	1.2.13	Unknown	Unknown
unknown/vcpkg/zstd:x64-windows	1.5.5	Unknown	Unknown

Scanned Manifest Files

vcpkg.json

• vcpkg/abseil:x64-windows@20230125.3
• vcpkg/boost-algorithm:x64-windows@1.82.0
• vcpkg/boost-align:x64-windows@1.82.0
• vcpkg/boost-array:x64-windows@1.82.0
• vcpkg/boost-asio:x64-windows@1.82.0
• vcpkg/boost-assert:x64-windows@1.82.0
• vcpkg/boost-bind:x64-windows@1.82.0
• vcpkg/boost-build:x64-windows@1.82.0
• vcpkg/boost-chrono:x64-windows@1.82.0
• vcpkg/boost-concept-check:x64-windows@1.82.0
• vcpkg/boost-config:x64-windows@1.82.0
• vcpkg/boost-container-hash:x64-windows@1.82.0
• vcpkg/boost-container:x64-windows@1.82.0
• vcpkg/boost-context:x64-windows@1.82.0
• vcpkg/boost-conversion:x64-windows@1.82.0
• vcpkg/boost-core:x64-windows@1.82.0
• vcpkg/boost-coroutine:x64-windows@1.82.0
• vcpkg/boost-date-time:x64-windows@1.82.0
• vcpkg/boost-describe:x64-windows@1.82.0
• vcpkg/boost-detail:x64-windows@1.82.0
• vcpkg/boost-exception:x64-windows@1.82.0
• vcpkg/boost-function-types:x64-windows@1.82.0
• vcpkg/boost-function:x64-windows@1.82.0
• vcpkg/boost-functional:x64-windows@1.82.0
• vcpkg/boost-fusion:x64-windows@1.82.0
• vcpkg/boost-integer:x64-windows@1.82.0
• vcpkg/boost-intrusive:x64-windows@1.82.0
• vcpkg/boost-io:x64-windows@1.82.0
• vcpkg/boost-iterator:x64-windows@1.82.0
• vcpkg/boost-lexical-cast:x64-windows@1.82.0
• vcpkg/boost-modular-build-helper:x64-windows@1.82.0
• vcpkg/boost-move:x64-windows@1.82.0
• vcpkg/boost-mp11:x64-windows@1.82.0
• vcpkg/boost-mpl:x64-windows@1.82.0
• vcpkg/boost-numeric-conversion:x64-windows@1.82.0
• vcpkg/boost-optional:x64-windows@1.82.0
• vcpkg/boost-pool:x64-windows@1.82.0
• vcpkg/boost-predef:x64-windows@1.82.0
• vcpkg/boost-preprocessor:x64-windows@1.82.0
• vcpkg/boost-range:x64-windows@1.82.0
• vcpkg/boost-ratio:x64-windows@1.82.0
• vcpkg/boost-rational:x64-windows@1.82.0
• vcpkg/boost-regex:x64-windows@1.82.0
• vcpkg/boost-smart-ptr:x64-windows@1.82.0
• vcpkg/boost-static-assert:x64-windows@1.82.0
• vcpkg/boost-system:x64-windows@1.82.0
• vcpkg/boost-throw-exception:x64-windows@1.82.0
• vcpkg/boost-tokenizer:x64-windows@1.82.0
• vcpkg/boost-tuple:x64-windows@1.82.0
• vcpkg/boost-type-traits:x64-windows@1.82.0
• vcpkg/boost-typeof:x64-windows@1.82.0
• vcpkg/boost-uninstall:x64-windows@1.82.0
• vcpkg/boost-unordered:x64-windows@1.82.0
• vcpkg/boost-utility:x64-windows@1.82.0
• vcpkg/boost-variant2:x64-windows@1.82.0
• vcpkg/boost-vcpkg-helpers:x64-windows@1.82.0
• vcpkg/boost-winapi:x64-windows@1.82.0
• vcpkg/bzip2:x64-windows@1.0.8
• vcpkg/c-ares:x64-windows@1.19.0
• vcpkg/crow:x64-windows@1.0-5
• vcpkg/grpc:x64-windows@1.51.1
• vcpkg/libarchive:x64-windows@3.6.2
• vcpkg/libiconv:x64-windows@1.17
• vcpkg/liblzma:x64-windows@5.4.1
• vcpkg/libxml2:x64-windows@2.10.3
• vcpkg/lz4:x64-windows@1.9.4
• vcpkg/openssl:x64-windows@3.1.1
• vcpkg/protobuf:x64-windows@3.21.12
• vcpkg/re2:x64-windows@2023-02-01
• vcpkg/upb:x64-windows@2022-06-21
• vcpkg/vcpkg-cmake-config:x64-windows@2022-02-06
• vcpkg/vcpkg-cmake-get-vars:x64-windows@2023-03-02
• vcpkg/vcpkg-cmake:x64-windows@2023-05-04
• vcpkg/zlib:x64-windows@1.2.13
• vcpkg/zstd:x64-windows@1.5.5

[github-actions]

🔍 Vulnerabilities of nam20485/odbdesign:pr-336

📦 Image Reference nam20485/odbdesign:pr-336

digest	sha256:69b634e5b107ebe9bb9a8c3b06e86754b490b7c465b63faf38ec07405012fd51
vulnerabilities
platform	linux/amd64
size	52 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.5-slim bookworm-20240423-slim bookworm-slim
digest	sha256:18838d7b60723ec1548a85ae57195bd84a887b65d249f4a74698f1ab7cae4ca3
vulnerabilities

glibc 2.36-9+deb12u6 (deb) pkg:deb/debian/glibc@2.36-9+deb12u6?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. glibc 2.37-19 https://sourceware.org/bugzilla/show_bug.cgi?id=31679 https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/ https://www.openwall.com/lists/oss-security/2024/04/24/2 https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007 Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=c04a21e050d64a1193a6daab872bca2528bda44b Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. glibc 2.37-19 https://sourceware.org/bugzilla/show_bug.cgi?id=31680 https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/ https://www.openwall.com/lists/oss-security/2024/04/24/2 https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008 Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=c04a21e050d64a1193a6daab872bca2528bda44b Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. glibc 2.37-19 https://sourceware.org/bugzilla/show_bug.cgi?id=31678 https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/ https://www.openwall.com/lists/oss-security/2024/04/24/2 https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006 Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=b048a482f088e53144d26a61c390bed0210f49f2 Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=7835b00dbce53c3c87bbbb1754a95fb5e58187aa Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. glibc 2.37-19 https://sourceware.org/bugzilla/show_bug.cgi?id=31677 https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/ https://www.openwall.com/lists/oss-security/2024/04/24/2 https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005 Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=87801a8fd06db1d654eea3e4f7626ff476a9bdaa

systemd 252.22-1~deb12u1 (deb) pkg:deb/debian/systemd@252.22-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.23-1~deb12u1 Fixed version 252.23-1~deb12u1 Description Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. bind9 1:9.19.21-1 dnsmasq 2.90-1 [bookworm] - dnsmasq 2.90-4~deb12u1 knot-resolver 5.7.1-1 [bullseye] - knot-resolver (Too intrusive to backport, if DNSSEC is used Bookworm can be used) [buster] - knot-resolver (Too intrusive to backport) pdns-recursor 4.9.3-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063852) [bullseye] - pdns-recursor (No longer supported with security updates in Bullseye) unbound 1.19.1-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845) systemd 255.4-1 [bookworm] - systemd 252.23-1~deb12u1 [buster] - systemd (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) dnsjava (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077750) [bookworm] - dnsjava (Minor issue) [bullseye] - dnsjava (Minor issue) https://kb.isc.org/docs/cve-2023-50387 https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67 (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718 (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd (v9.16.48) https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614 (v9.16.48) https://downloads.isc.org/isc/bind9/9.16.48/patches/0005-CVE-2023-50387-CVE-2023-50868.patch https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html CZ-NIC/knot-resolver@7ddabe8 CZ-NIC/knot-resolver@feb65eb (v5.7.1) CZ-NIC/knot-resolver@cc5051b (v5.7.1) https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released Fixed by: rec: CVE-2023-50387 and CVE-2023-50868 PowerDNS/pdns#13781 https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt Fixed by: NLnetLabs/unbound@882903f (release-1.19.1) Status of CVE-2023-50387 and CVE-2023-50868 unknown systemd/systemd#31413 systemd/systemd@67d0ce8 (v256) systemd/systemd@eba2911 (v256) systemd/systemd-stable@1ebdb19 (v255.4) systemd/systemd-stable@572692f (v255.4) systemd/systemd-stable@2f5edff (v254.10) systemd/systemd-stable@9899281 (v254.10) systemd/systemd-stable@7886eea (v253.17) systemd/systemd-stable@156e519 (v253.17) systemd/systemd-stable@7633d96 (v252.23) systemd/systemd-stable@b43bcb5 (v252.23) systemd: DNSSEC is default to off in systemd-resolved GHSA-crjg-w57m-rqqf dnsjava/dnsjava@07ac36a (v3.6.0) dnsjava/dnsjava@3ddc45c (v3.6.0) Affected range <252.23-1~deb12u1 Fixed version 252.23-1~deb12u1 Description The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. bind9 1:9.19.21-1 dnsmasq 2.90-1 [bookworm] - dnsmasq 2.90-4~deb12u1 knot-resolver 5.7.1-1 [bullseye] - knot-resolver (Too intrusive to backport, if DNSSEC is used Bookworm can be used) [buster] - knot-resolver (Too intrusive to backport, if DNSSEC is used Bookworm can be used) pdns-recursor 4.9.3-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063852) [bullseye] - pdns-recursor (No longer supported with security updates in Bullseye) unbound 1.19.1-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845) systemd 255.4-1 [bookworm] - systemd 252.23-1~deb12u1 [buster] - systemd (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) dnsjava (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077751) [bookworm] - dnsjava (Minor issue) [bullseye] - dnsjava (Minor issue) https://kb.isc.org/docs/cve-2023-50868 https://downloads.isc.org/isc/bind9/9.16.48/patches/0005-CVE-2023-50387-CVE-2023-50868.patch https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html CZ-NIC/knot-resolver@e966b7f (v5.7.1) CZ-NIC/knot-resolver@eccb8e2 (v5.7.1) CZ-NIC/knot-resolver@b5051ac (v5.7.1) CZ-NIC/knot-resolver@24699e9 (v5.7.1) CZ-NIC/knot-resolver@a05cf1d (v5.7.1) CZ-NIC/knot-resolver@9b421cd (v5.7.1) CZ-NIC/knot-resolver@5e80624 CZ-NIC/knot-resolver@f9ba52e (v5.7.1) CZ-NIC/knot-resolver@b044bab (v5.7.1) https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released Fixed by: rec: CVE-2023-50387 and CVE-2023-50868 PowerDNS/pdns#13781 https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt Fixed by: NLnetLabs/unbound@92f2a1c (release-1.19.1) Status of CVE-2023-50387 and CVE-2023-50868 unknown systemd/systemd#31413 systemd/systemd@67d0ce8 (v256) systemd/systemd@eba2911 (v256) systemd/systemd-stable@1ebdb19 (v255.4) systemd/systemd-stable@572692f (v255.4) systemd/systemd-stable@2f5edff (v254.10) systemd/systemd-stable@9899281 (v254.10) systemd/systemd-stable@7886eea (v253.17) systemd/systemd-stable@156e519 (v253.17) systemd/systemd-stable@7633d96 (v252.23) systemd/systemd-stable@b43bcb5 (v252.23) systemd: DNSSEC is default to off in systemd-resolved GHSA-mmwx-rj87-vfgr dnsjava/dnsjava@711af79 (v3.6.0)

gnutls28 3.7.9-2+deb12u2 (deb) pkg:deb/debian/gnutls28@3.7.9-2+deb12u2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u3 Fixed version 3.7.9-2+deb12u3 Description A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. [experimental] - gnutls28 3.8.4-1 gnutls28 3.8.4-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067464) [bookworm] - gnutls28 3.7.9-2+deb12u3 [buster] - gnutls28 (Vulnerable code not present) https://gitlab.com/gnutls/gnutls/-/issues/1516 https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html https://www.gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5 (3.8.4) Introduced with: https://gitlab.com/gnutls/gnutls/-/merge_requests/1051 (gnutls_3_6_10) Affected range <3.7.9-2+deb12u3 Fixed version 3.7.9-2+deb12u3 Description A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command. [experimental] - gnutls28 3.8.4-1 gnutls28 3.8.4-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067463) [bookworm] - gnutls28 3.7.9-2+deb12u3 [buster] - gnutls28 (Vulnerable code not present) https://bugzilla.redhat.com/show_bug.cgi?id=2269084 https://gitlab.com/gnutls/gnutls/-/issues/1525 https://gitlab.com/gnutls/gnutls/-/issues/1527 https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html https://www.gnutls.org/security-new.html#GNUTLS-SA-2024-01-23 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d (3.8.4) Introduced with: https://gitlab.com/gnutls/gnutls/-/commit/d268f19510a95f92d11d8f8dc7d94fcae4d765cc (3.7.0)

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/openldap@2.5.13+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/p7zip@16.02+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. 7zip 24.08+dfsg-1 (unimportant) p7zip 16.02+transitional.1 (unimportant) Crash in CLI tool, no security impact https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 7zip 24.05+dfsg-1 (unimportant) [bookworm] - 7zip 22.01+dfsg-8+deb12u1 Crash in CLI tool, no security impact p7zip 16.02+transitional.1 (unimportant) https://sourceforge.net/p/sevenzip/bugs/2402/ https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ https://www.openwall.com/lists/oss-security/2024/07/03/10 Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp. p7zip (unimportant) https://sourceforge.net/p/p7zip/bugs/241/ Crash in CLI tool, no security impact

krb5 1.20.1-2+deb12u2 (deb) pkg:deb/debian/krb5@1.20.1-2+deb12u2?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064965; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064965; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/perl@5.36.0-7+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. libhttp-tiny-perl 0.088-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962407; unimportant) [experimental] - perl 5.38.0~rc2-1 perl 5.38.2-2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954089) https://www.openwall.com/lists/oss-security/2023/04/18/14 verify_SSL being true by default (redux) chansen/p5-http-tiny#134 https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ https://hackeriet.github.io/cpan-http-tiny-overview/ Applications need to explicitly opt in to enable verification. Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description _is_safe in the File::Temp module for Perl does not properly handle symlinks. perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268) http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14

gcc-12 12.2.0-14 (deb) pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=12.2.0-14 Fixed version Not Fixed Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. gcc-13 13.2.0-4 (unimportant) gcc-12 12.3.0-9 (unimportant) gcc-11 11.4.0-4 (unimportant) gcc-10 10.5.0-3 (unimportant) gcc-9 9.5.0-6 (unimportant) gcc-8 (unimportant) gcc-7 (unimportant) GHSA-x7ch-h5rf-w2mf Not considered a security issue by GCC upstream https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 Affected range >=12.2.0-14 Fixed version Not Fixed Description libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. gcc-12 (unimportant) Negligible security impact https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1:4.13+dfsg1-1 Fixed version Not Fixed Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures

curl 7.88.1-10+deb12u8 (deb) pkg:deb/debian/curl@7.88.1-10+deb12u8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u8 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. curl 8.7.1-1 (unimportant) https://curl.se/docs/CVE-2024-2379.html Introduced by: curl/curl@5d044ad (curl-8_6_0) Fixed by: curl/curl@aedbbdf (curl-8_7_0) curl in Debian not built with wolfSSL support

openssl 3.0.15-1~deb12u1 (deb) pkg:deb/debian/openssl@3.0.15-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

coreutils 9.1-1 (deb) pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

apt 2.6.1 (deb) pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/tar@1.34+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

[github-actions]

Recommended fixes for image nam20485/odbdesign:pr-336

Base image is debian:12-slim

Name	bookworm-20240423-slim
Digest	sha256:18838d7b60723ec1548a85ae57195bd84a887b65d249f4a74698f1ab7cae4ca3
Vulnerabilities
Pushed	8 months ago
Size	29 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as: 12.9-slim bookworm-slim bookworm-20250113-slim	Benefits: Same OS detected Newer image for same tag Image is smaller by 916 KB Tag was pushed more recently Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	5 days ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250113-slim	Benefits: Same OS detected Image is smaller by 916 KB Tag is preferred tag Tag was pushed more recently Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	5 days ago
12 Tag is latest Also known as: 12.9 bookworm bookworm-20250113 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	5 days ago

[github-actions]

Overview

Image reference	ghcr.io/nam20485/odbdesign:development-latest	nam20485/odbdesign:pr-336
- digest	da5b1ce01daa	69b634e5b107
- provenance	e6e2faf	0645550
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	44 MB	52 MB (+7.2 MB)
- packages	155	155
Base Image	debian:bookworm-20240423-slim also known as: • 12-slim • bookworm-slim	debian:12-slim also known as: • bookworm-slim
- vulnerabilities

Labels (3 changes)

• ± 3 changed
• 7 unchanged

 org.opencontainers.image.authors=https://github.com/nam20485
-org.opencontainers.image.created=2025-01-16 20:20:34
+org.opencontainers.image.created=2025-01-18T22:52:24.741Z
 org.opencontainers.image.description=A free open source cross-platform C++ library for parsing ODB++ Design archives, accessing their data, and building net list product models. Exposed via a REST API packaged inside of a Docker image.
 org.opencontainers.image.documentation=https://github.com/nam20485/OdbDesign?tab=readme-ov-file
 org.opencontainers.image.licenses=MIT
-org.opencontainers.image.revision=e6e2faf1206ee2b70cbfee70b1dc13b9bd38e4bf
+org.opencontainers.image.revision=0645550950fd49ef8c1cf4b74ebd7240b7a26d05
 org.opencontainers.image.source=https://github.com/nam20485/OdbDesign
 org.opencontainers.image.title=OdbDesign
 org.opencontainers.image.url=https://github.com/nam20485/OdbDesign
-org.opencontainers.image.version=development-939
+org.opencontainers.image.version=pr-336