merge to development

[nam20485]

No description provided.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: The number of snapshots compared for the base SHA (1) and the head SHA (2) do not match. You may see unexpected additions in the diff.

Consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Manifest Files

[github-actions]

Outdated

🔍 Vulnerabilities of nam20485/odbdesign:pr-333

📦 Image Reference nam20485/odbdesign:pr-333

digest	sha256:79a3c824327bb3b195d37d8345b51dfd2cade591e98f4cf984b477d1a6ebce0b
vulnerabilities
platform	linux/amd64
size	50 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.5-slim bookworm-20240423-slim bookworm-slim
digest	sha256:18838d7b60723ec1548a85ae57195bd84a887b65d249f4a74698f1ab7cae4ca3
vulnerabilities

glibc 2.36-9+deb12u6 (deb) pkg:deb/debian/[email protected]+deb12u6?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

systemd 252.22-1~deb12u1 (deb) pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.23-1~deb12u1 Fixed version 252.23-1~deb12u1 Description Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. Affected range <252.23-1~deb12u1 Fixed version 252.23-1~deb12u1 Description The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

gnutls28 3.7.9-2+deb12u2 (deb) pkg:deb/debian/[email protected]+deb12u2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u3 Fixed version 3.7.9-2+deb12u3 Description A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. Affected range <3.7.9-2+deb12u3 Fixed version 3.7.9-2+deb12u3 Description A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/[email protected]+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/[email protected]+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp.

krb5 1.20.1-2+deb12u2 (deb) pkg:deb/debian/[email protected]+deb12u2?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/[email protected]+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description _is_safe in the File::Temp module for Perl does not properly handle symlinks.

gcc-12 12.2.0-14 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=12.2.0-14 Fixed version Not Fixed Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. Affected range >=12.2.0-14 Fixed version Not Fixed Description libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1:4.13+dfsg1-1 Fixed version Not Fixed Description shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. Affected range >=1:4.13+dfsg1-1 Fixed version Not Fixed Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/[email protected]+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

openssl 3.0.15-1~deb12u1 (deb) pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

coreutils 9.1-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

apt 2.6.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

curl 7.88.1-10+deb12u8 (deb) pkg:deb/debian/[email protected]+deb12u8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u8 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.

[github-actions]

Outdated

Recommended fixes for image nam20485/odbdesign:pr-333

Base image is debian:12-slim

Name	bookworm-20240423-slim
Digest	sha256:18838d7b60723ec1548a85ae57195bd84a887b65d249f4a74698f1ab7cae4ca3
Vulnerabilities
Pushed	8 months ago
Size	29 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as: 12.9-slim bookworm-slim bookworm-20250113-slim	Benefits: Same OS detected Newer image for same tag Image is smaller by 916 KB Tag was pushed more recently Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	3 days ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250113-slim	Benefits: Same OS detected Image is smaller by 916 KB Tag is preferred tag Tag was pushed more recently Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	3 days ago
12 Tag is latest Also known as: 12.9 bookworm bookworm-20250113 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	3 days ago

[github-actions]

Overview

Image reference	ghcr.io/nam20485/odbdesign:development-latest	nam20485/odbdesign:pr-333
- digest	c05f5cab4bd3	4aa1864c352e
- provenance	2cf3ac8	5b4b09d
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	36 MB	50 MB (+14 MB)
- packages	125	155 (+30)
Base Image	debian:bookworm-20240423-slim also known as: • 12-slim • bookworm-slim	debian:12-slim also known as: • bookworm-slim
- vulnerabilities

Labels (3 changes)

• ± 3 changed
• 7 unchanged

 org.opencontainers.image.authors=https://github.com/nam20485
-org.opencontainers.image.created=2024-05-15 14:37:09
+org.opencontainers.image.created=2025-01-15T23:39:40.689Z
 org.opencontainers.image.description=A free open source cross-platform C++ library for parsing ODB++ Design archives, accessing their data, and building net list product models. Exposed via a REST API packaged inside of a Docker image.
 org.opencontainers.image.documentation=https://github.com/nam20485/OdbDesign?tab=readme-ov-file
 org.opencontainers.image.licenses=MIT
-org.opencontainers.image.revision=2cf3ac8bd1972f67263f797d4697261f8afadec8
+org.opencontainers.image.revision=5b4b09d8179f8b83783b3661d618c030be851add
 org.opencontainers.image.source=https://github.com/nam20485/OdbDesign
 org.opencontainers.image.title=OdbDesign
 org.opencontainers.image.url=https://github.com/nam20485/OdbDesign
-org.opencontainers.image.version=development-931
+org.opencontainers.image.version=pr-333

Packages and Vulnerabilities (30 package changes and 0 vulnerability changes)

• ➕ 30 packages added
• 125 packages unchanged

Changes for packages of type deb (30 changes)

	Package	Version ghcr.io/nam20485/odbdesign:development-latest	Version nam20485/odbdesign:pr-333
➕	apt-transport-https		2.6.1
➕	brotli		1.0.9-2
➕	ca-certificates		20230311
➕	curl		7.88.1-10+deb12u8
➕	cyrus-sasl2		2.1.28+dfsg-10
➕	keyutils		1.6.3-2
➕	krb5		1.20.1-2+deb12u2
➕	libbrotli1		1.0.9-2+b6
➕	libcurl4		7.88.1-10+deb12u8
➕	libgssapi-krb5-2		1.20.1-2+deb12u2
➕	libk5crypto3		1.20.1-2+deb12u2
➕	libkeyutils1		1.6.3-2
➕	libkrb5-3		1.20.1-2+deb12u2
➕	libkrb5support0		1.20.1-2+deb12u2
➕	libldap-2.5-0		2.5.13+dfsg-5
➕	libnghttp2-14		1.52.0-1+deb12u2
➕	libpsl		0.21.2-1
➕	libpsl5		0.21.2-1
➕	librtmp1		2.4+20151223.gitfa8646d.1-2+b2
➕	libsasl2-2		2.1.28+dfsg-10
➕	libsasl2-modules-db		2.1.28+dfsg-10
➕	libssh2		1.10.0-3
➕	libssh2-1		1.10.0-3+b1
➕	libssl3		3.0.15-1~deb12u1
➕	nghttp2		1.52.0-1+deb12u2
➕	openldap		2.5.13+dfsg-5
➕	openssl		3.0.15-1~deb12u1
➕	p7zip		16.02+dfsg-8
➕	p7zip-full		16.02+dfsg-8
➕	rtmpdump		2.4+20151223.gitfa8646d.1-2

[github-actions]

🔍 Vulnerabilities of nam20485/odbdesign:pr-333

📦 Image Reference nam20485/odbdesign:pr-333

digest	sha256:4aa1864c352eb65bd38597d88c1a1cdca1206b84c0b8946b4e1d90bcf0ca7c1b
vulnerabilities
platform	linux/amd64
size	50 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.5-slim bookworm-20240423-slim bookworm-slim
digest	sha256:18838d7b60723ec1548a85ae57195bd84a887b65d249f4a74698f1ab7cae4ca3
vulnerabilities

glibc 2.36-9+deb12u6 (deb) pkg:deb/debian/[email protected]+deb12u6?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. Affected range <2.36-9+deb12u7 Fixed version 2.36-9+deb12u7 Description nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

systemd 252.22-1~deb12u1 (deb) pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.23-1~deb12u1 Fixed version 252.23-1~deb12u1 Description Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. Affected range <252.23-1~deb12u1 Fixed version 252.23-1~deb12u1 Description The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

gnutls28 3.7.9-2+deb12u2 (deb) pkg:deb/debian/[email protected]+deb12u2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u3 Fixed version 3.7.9-2+deb12u3 Description A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. Affected range <3.7.9-2+deb12u3 Fixed version 3.7.9-2+deb12u3 Description A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/[email protected]+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/[email protected]+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp.

krb5 1.20.1-2+deb12u2 (deb) pkg:deb/debian/[email protected]+deb12u2?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. Affected range >=1.20.1-2+deb12u2 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/[email protected]+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description _is_safe in the File::Temp module for Perl does not properly handle symlinks.

gcc-12 12.2.0-14 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=12.2.0-14 Fixed version Not Fixed Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. Affected range >=12.2.0-14 Fixed version Not Fixed Description libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1:4.13+dfsg1-1 Fixed version Not Fixed Description shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. Affected range >=1:4.13+dfsg1-1 Fixed version Not Fixed Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/[email protected]+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

openssl 3.0.15-1~deb12u1 (deb) pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

coreutils 9.1-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

apt 2.6.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

curl 7.88.1-10+deb12u8 (deb) pkg:deb/debian/[email protected]+deb12u8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u8 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.

[github-actions]

Recommended fixes for image nam20485/odbdesign:pr-333

Base image is debian:12-slim

Name	bookworm-20240423-slim
Digest	sha256:18838d7b60723ec1548a85ae57195bd84a887b65d249f4a74698f1ab7cae4ca3
Vulnerabilities
Pushed	8 months ago
Size	29 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as: 12.9-slim bookworm-slim bookworm-20250113-slim	Benefits: Same OS detected Newer image for same tag Image is smaller by 916 KB Tag was pushed more recently Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	3 days ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250113-slim	Benefits: Same OS detected Image is smaller by 916 KB Tag is preferred tag Tag was pushed more recently Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	3 days ago
12 Tag is latest Also known as: 12.9 bookworm bookworm-20250113 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	3 days ago