merge to development

[nam20485]

No description provided.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Files

• .github/workflows/codeql.yml

[Copilot]

Pull Request Overview

This PR merges feature updates into the development branch, adding explicit version overrides for vcpkg ports, a shell script for Debian-based dependency installation, and clarifying supported Linux distributions in the documentation.

• Add a new overrides section to vcpkg.json for specific port versions
• Introduce scripts/install-dependencies-deb.sh to automate package installs on Debian/Ubuntu
• Update docs/README.md to include Debian and Mint alongside Ubuntu

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
vcpkg.json	Adds overrides array with fixed versions for protobuf, libarchive, openssl, and crow
scripts/install-dependencies-deb.sh	New bash script that updates apt and installs required packages
docs/README.md	Updates Linux distro reference to include Ubuntu/Debian/Mint

Comments suppressed due to low confidence (1)

docs/README.md:166

• [nitpick] For readability in documentation, list distributions with commas or conjunctions (e.g., "Ubuntu, Debian, or Mint") instead of slash-separated names.

> If you are building on a Linux system then the dependencies listed below can be installed using your package manager. For example on Ubuntu/Debian/Mint you can install them (except for vcpkg and Docker) using the following command:

[github-actions]

Outdated

🔍 Vulnerabilities of nam20485/odbdesign:pr-398

📦 Image Reference nam20485/odbdesign:pr-398

digest	sha256:b486a2a7a1f982106a043a5d51604c2379baafb3a91adc959274614a10ffce41
vulnerabilities
platform	linux/amd64
size	52 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.9-slim bookworm-20250203-slim bookworm-slim
digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
vulnerabilities

glibc 2.36-9+deb12u9 (deb) pkg:deb/debian/glibc@2.36-9+deb12u9?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u10 Fixed version 2.36-9+deb12u10 Description When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. glibc 2.40-6 [bookworm] - glibc 2.36-9+deb12u10 https://sourceware.org/bugzilla/show_bug.cgi?id=32582 https://www.openwall.com/lists/oss-security/2025/01/22/4 Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch) Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 (2.36-branch) https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001 https://sourceware.org/pipermail/libc-announce/2025/000044.html

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2215945 shadow-maint/shadow@65c88a4 (4.14.0-rc1) Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034482) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) Control character check shadow-maint/shadow#687 Fixed by: shadow-maint/shadow@e5905c4 (4.14.0-rc1) Regression fix: shadow-maint/shadow@2eaea70 (4.14.0-rc1) https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/

libtasn1-6 4.19.0-2 (deb) pkg:deb/debian/libtasn1-6@4.19.0-2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <4.19.0-2+deb12u1 Fixed version 4.19.0-2+deb12u1 Description A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. libtasn1-6 4.20.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095406) https://www.openwall.com/lists/oss-security/2025/02/06/6 https://gitlab.com/gnutls/libtasn1/-/issues/52 https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0) https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0) https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html

gnutls28 3.7.9-2+deb12u3 (deb) pkg:deb/debian/gnutls28@3.7.9-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u4 Fixed version 3.7.9-2+deb12u4 Description A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. [experimental] - gnutls28 3.8.9-1 gnutls28 3.8.9-2 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-02-07 https://lists.gnupg.org/pipermail/gnutls-help/2025-February/004875.html https://gitlab.com/gnutls/gnutls/-/issues/1553 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (3.8.9)

libcap2 1:2.66-4 (deb) pkg:deb/debian/libcap2@1:2.66-4?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:2.66-4+deb12u1 Fixed version 1:2.66-4+deb12u1 Description The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap2 1:2.73-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318) [bookworm] - libcap2 1:2.66-4+deb12u1 https://bugzilla.openanolis.cn/show_bug.cgi?id=18804 Fixed by: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (cap/v1.2.74-rc4)

systemd 252.33-1~deb12u1 (deb) pkg:deb/debian/systemd@252.33-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.38-1~deb12u1 Fixed version 252.38-1~deb12u1 Description A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. systemd 257.6-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106785) https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt For a comprehensive fix a kernel change is required (to hand a pidfd to the usermode coredump helper): https://git.kernel.org/linus/b5325b2a270fcaf7b2a9a0f23d422ca8a5a8bdea Backports (src:linux): https://lore.kernel.org/linux-fsdevel/CAMw=ZnT4KSk_+Z422mEZVzfAkTueKvzdw=r9ZB2JKg5-1t6BDw@mail.gmail.com/ systemd/systemd@49f1f2d (main) systemd/systemd@0c49e00 (main) systemd/systemd@8fc7b2a (main) systemd/systemd@13902e0 (main) systemd/systemd@868d955 (main) systemd/systemd@e6a8687 (main) systemd/systemd@76e0ab4 (main) systemd/systemd@9ce8e3e (main) Fixed by: systemd/systemd@0c49e00 (v258) Fixed by: systemd/systemd@868d955 (v258) Fixed by: systemd/systemd@c58a8a6 (v257.6) Fixed by: systemd/systemd@6155669 (v257.6) Fixed by: systemd/systemd@19d4391 (v256.16) Fixed by: systemd/systemd-stable@254ab8d (v255.21) Fixed by: systemd/systemd-stable@7fc7aa5 (v254.26) Fixed by: systemd/systemd-stable@19b2286 (v253.33) Fixed by: systemd/systemd-stable@2eb46dc (v252.38)

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/p7zip@16.02+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. 7zip 24.08+dfsg-1 (unimportant) p7zip 16.02+transitional.1 (unimportant) Crash in CLI tool, no security impact https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 7zip 24.05+dfsg-1 (unimportant) [bookworm] - 7zip 22.01+dfsg-8+deb12u1 Crash in CLI tool, no security impact p7zip 16.02+transitional.1 (unimportant) https://sourceforge.net/p/sevenzip/bugs/2402/ https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ https://www.openwall.com/lists/oss-security/2024/07/03/10 Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving stream flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving block flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp. p7zip (unimportant) https://sourceforge.net/p/p7zip/bugs/241/ Crash in CLI tool, no security impact

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/openldap@2.5.13+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

krb5 1.20.1-2+deb12u3 (deb) pkg:deb/debian/krb5@1.20.1-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

curl 7.88.1-10+deb12u12 (deb) pkg:deb/debian/curl@7.88.1-10+deb12u12?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. curl 8.12.0+git20250209.89ed161+ds-1 (unimportant) https://curl.se/docs/CVE-2025-0725.html Introduced with: curl/curl@019c408 (curl-7_10_5) Fixed by: curl/curl@76f83f0 (curl-8_12_0) Patch only drops officially support for zlib before 1.2.0.4 Can only be triggered when using ancient runtime zlib of version 1.2.0.3 or older Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. curl 8.7.1-1 (unimportant) https://curl.se/docs/CVE-2024-2379.html Introduced by: curl/curl@5d044ad (curl-8_6_0) Fixed by: curl/curl@aedbbdf (curl-8_7_0) curl in Debian not built with wolfSSL support

coreutils 9.1-1 (deb) pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

util-linux 2.38.1-5+deb12u3 (deb) pkg:deb/debian/util-linux@2.38.1-5+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5+deb12u3 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/perl@5.36.0-7+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.36.0-7+deb12u2 Fixed version 5.36.0-7+deb12u2 Description A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. perl 5.40.1-3 [bullseye] - perl (Vulnerable code introduced later) https://lists.security.metacpan.org/cve-announce/msg/28708725/ Introduced by: Perl/perl5@a311ee0 (v5.33.1) Fixed by: Perl/perl5@87f42aa

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

gcc-12 12.2.0-14 (deb) pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12 Affected range <12.2.0-14+deb12u1 Fixed version 12.2.0-14+deb12u1 Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. gcc-13 13.2.0-4 (unimportant) gcc-12 12.3.0-9 (unimportant) [bookworm] - gcc-12 12.2.0-14+deb12u1 gcc-11 11.4.0-4 (unimportant) gcc-10 10.5.0-3 (unimportant) gcc-9 9.5.0-6 (unimportant) gcc-8 (unimportant) gcc-7 (unimportant) GHSA-x7ch-h5rf-w2mf Not considered a security issue by GCC upstream https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

xz-utils 5.4.1-0.2 (deb) pkg:deb/debian/xz-utils@5.4.1-0.2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.4.1-1 Fixed version 5.4.1-1 Description XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. xz-utils 5.8.1-1 [bullseye] - xz-utils (Vulnerable code introduced later) https://www.openwall.com/lists/oss-security/2025/04/03/1 https://tukaani.org/xz/threaded-decoder-early-free.html GHSA-6cc8-p5mm-29w2

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/tar@1.34+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

apt 2.6.1 (deb) pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

openssl 3.0.16-1~deb12u1 (deb) pkg:deb/debian/openssl@3.0.16-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

[github-actions]

Outdated

Recommended fixes for image nam20485/odbdesign:pr-398

Base image is debian:12-slim

Name	bookworm-20250203-slim
Digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
Vulnerabilities
Pushed	4 months ago
Size	28 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as: 12.11-slim bookworm-slim	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	2 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250520-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	2 weeks ago
12 Tag is latest Also known as: 12.11 bookworm bookworm-20250520 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	2 weeks ago

[github-actions]

Outdated

🔍 Vulnerabilities of nam20485/odbdesign:pr-398

📦 Image Reference nam20485/odbdesign:pr-398

digest	sha256:b3f502d8985745f2a2f0a8bb5d7f94487ad996e1c610c7e89ea94bb489b96e11
vulnerabilities
platform	linux/amd64
size	52 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.9-slim bookworm-20250203-slim bookworm-slim
digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
vulnerabilities

glibc 2.36-9+deb12u9 (deb) pkg:deb/debian/glibc@2.36-9+deb12u9?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u10 Fixed version 2.36-9+deb12u10 Description When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. glibc 2.40-6 [bookworm] - glibc 2.36-9+deb12u10 https://sourceware.org/bugzilla/show_bug.cgi?id=32582 https://www.openwall.com/lists/oss-security/2025/01/22/4 Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch) Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 (2.36-branch) https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001 https://sourceware.org/pipermail/libc-announce/2025/000044.html

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2215945 shadow-maint/shadow@65c88a4 (4.14.0-rc1) Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034482) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) Control character check shadow-maint/shadow#687 Fixed by: shadow-maint/shadow@e5905c4 (4.14.0-rc1) Regression fix: shadow-maint/shadow@2eaea70 (4.14.0-rc1) https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/

systemd 252.33-1~deb12u1 (deb) pkg:deb/debian/systemd@252.33-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.38-1~deb12u1 Fixed version 252.38-1~deb12u1 Description A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. systemd 257.6-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106785) https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt For a comprehensive fix a kernel change is required (to hand a pidfd to the usermode coredump helper): https://git.kernel.org/linus/b5325b2a270fcaf7b2a9a0f23d422ca8a5a8bdea Backports (src:linux): https://lore.kernel.org/linux-fsdevel/CAMw=ZnT4KSk_+Z422mEZVzfAkTueKvzdw=r9ZB2JKg5-1t6BDw@mail.gmail.com/ Fixed by: systemd/systemd@49f1f2d (main) Fixed by: systemd/systemd@0c49e00 (main) Fixed by: systemd/systemd@8fc7b2a (main) Follow up (optional): systemd/systemd@13902e0 (main) Follow up (optional): systemd/systemd@868d955 (main) Follow up (optional): systemd/systemd@e6a8687 (main) Follow up (optional): systemd/systemd@76e0ab4 (main) Follow up (optional): systemd/systemd@9ce8e3e (main) Fixed by: systemd/systemd@0c49e00 (v258) Fixed by: systemd/systemd@868d955 (v258) Fixed by: systemd/systemd@c58a8a6 (v257.6) Fixed by: systemd/systemd@6155669 (v257.6) Fixed by: systemd/systemd@19d4391 (v256.16) Fixed by: systemd/systemd-stable@254ab8d (v255.21) Fixed by: systemd/systemd-stable@7fc7aa5 (v254.26) Fixed by: systemd/systemd-stable@19b2286 (v253.33) Fixed by: systemd/systemd-stable@2eb46dc (v252.38)

gnutls28 3.7.9-2+deb12u3 (deb) pkg:deb/debian/gnutls28@3.7.9-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u4 Fixed version 3.7.9-2+deb12u4 Description A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. [experimental] - gnutls28 3.8.9-1 gnutls28 3.8.9-2 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-02-07 https://lists.gnupg.org/pipermail/gnutls-help/2025-February/004875.html https://gitlab.com/gnutls/gnutls/-/issues/1553 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (3.8.9)

libtasn1-6 4.19.0-2 (deb) pkg:deb/debian/libtasn1-6@4.19.0-2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <4.19.0-2+deb12u1 Fixed version 4.19.0-2+deb12u1 Description A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. libtasn1-6 4.20.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095406) https://www.openwall.com/lists/oss-security/2025/02/06/6 https://gitlab.com/gnutls/libtasn1/-/issues/52 https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0) https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0) https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html

libcap2 1:2.66-4 (deb) pkg:deb/debian/libcap2@1:2.66-4?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:2.66-4+deb12u1 Fixed version 1:2.66-4+deb12u1 Description The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap2 1:2.73-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318) [bookworm] - libcap2 1:2.66-4+deb12u1 https://bugzilla.openanolis.cn/show_bug.cgi?id=18804 Fixed by: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (cap/v1.2.74-rc4)

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/p7zip@16.02+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. 7zip 24.08+dfsg-1 (unimportant) p7zip 16.02+transitional.1 (unimportant) Crash in CLI tool, no security impact https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 7zip 24.05+dfsg-1 (unimportant) [bookworm] - 7zip 22.01+dfsg-8+deb12u1 Crash in CLI tool, no security impact p7zip 16.02+transitional.1 (unimportant) https://sourceforge.net/p/sevenzip/bugs/2402/ https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ https://www.openwall.com/lists/oss-security/2024/07/03/10 Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving stream flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving block flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp. p7zip (unimportant) https://sourceforge.net/p/p7zip/bugs/241/ Crash in CLI tool, no security impact

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/openldap@2.5.13+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

krb5 1.20.1-2+deb12u3 (deb) pkg:deb/debian/krb5@1.20.1-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

curl 7.88.1-10+deb12u12 (deb) pkg:deb/debian/curl@7.88.1-10+deb12u12?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. curl 8.12.0+git20250209.89ed161+ds-1 (unimportant) https://curl.se/docs/CVE-2025-0725.html Introduced with: curl/curl@019c408 (curl-7_10_5) Fixed by: curl/curl@76f83f0 (curl-8_12_0) Patch only drops officially support for zlib before 1.2.0.4 Can only be triggered when using ancient runtime zlib of version 1.2.0.3 or older Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. curl 8.7.1-1 (unimportant) https://curl.se/docs/CVE-2024-2379.html Introduced by: curl/curl@5d044ad (curl-8_6_0) Fixed by: curl/curl@aedbbdf (curl-8_7_0) curl in Debian not built with wolfSSL support

coreutils 9.1-1 (deb) pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/tar@1.34+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

apt 2.6.1 (deb) pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

xz-utils 5.4.1-0.2 (deb) pkg:deb/debian/xz-utils@5.4.1-0.2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.4.1-1 Fixed version 5.4.1-1 Description XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. xz-utils 5.8.1-1 [bullseye] - xz-utils (Vulnerable code introduced later) https://www.openwall.com/lists/oss-security/2025/04/03/1 https://tukaani.org/xz/threaded-decoder-early-free.html GHSA-6cc8-p5mm-29w2

gcc-12 12.2.0-14 (deb) pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12 Affected range <12.2.0-14+deb12u1 Fixed version 12.2.0-14+deb12u1 Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. gcc-13 13.2.0-4 (unimportant) gcc-12 12.3.0-9 (unimportant) [bookworm] - gcc-12 12.2.0-14+deb12u1 gcc-11 11.4.0-4 (unimportant) gcc-10 10.5.0-3 (unimportant) gcc-9 9.5.0-6 (unimportant) gcc-8 (unimportant) gcc-7 (unimportant) GHSA-x7ch-h5rf-w2mf Not considered a security issue by GCC upstream https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

util-linux 2.38.1-5+deb12u3 (deb) pkg:deb/debian/util-linux@2.38.1-5+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5+deb12u3 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

openssl 3.0.16-1~deb12u1 (deb) pkg:deb/debian/openssl@3.0.16-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/perl@5.36.0-7+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.36.0-7+deb12u2 Fixed version 5.36.0-7+deb12u2 Description A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. perl 5.40.1-3 [bullseye] - perl (Vulnerable code introduced later) https://lists.security.metacpan.org/cve-announce/msg/28708725/ Introduced by: Perl/perl5@a311ee0 (v5.33.1) Fixed by: Perl/perl5@87f42aa

[github-actions]

Outdated

Recommended fixes for image nam20485/odbdesign:pr-398

Base image is debian:12-slim

Name	bookworm-20250203-slim
Digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
Vulnerabilities
Pushed	4 months ago
Size	28 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as:	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB OS: 12	3 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250610-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12.11-slim Image introduces 12 low vulnerabilities Also known as: bookworm-slim	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12 Tag is latest Also known as: bookworm bookworm-20250610 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	4 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of nam20485/odbdesign:pr-398

📦 Image Reference nam20485/odbdesign:pr-398

digest	sha256:fe12e1370d182e39a735f84fe82532a2c35b08fd8a3b2d030cf93509821eace9
vulnerabilities
platform	linux/amd64
size	52 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.9-slim bookworm-20250203-slim bookworm-slim
digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
vulnerabilities

glibc 2.36-9+deb12u9 (deb) pkg:deb/debian/glibc@2.36-9+deb12u9?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u10 Fixed version 2.36-9+deb12u10 Description When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. glibc 2.40-6 [bookworm] - glibc 2.36-9+deb12u10 https://sourceware.org/bugzilla/show_bug.cgi?id=32582 https://www.openwall.com/lists/oss-security/2025/01/22/4 Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch) Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 (2.36-branch) https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001 https://sourceware.org/pipermail/libc-announce/2025/000044.html

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2215945 shadow-maint/shadow@65c88a4 (4.14.0-rc1) Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034482) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) Control character check shadow-maint/shadow#687 Fixed by: shadow-maint/shadow@e5905c4 (4.14.0-rc1) Regression fix: shadow-maint/shadow@2eaea70 (4.14.0-rc1) https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/

libtasn1-6 4.19.0-2 (deb) pkg:deb/debian/libtasn1-6@4.19.0-2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <4.19.0-2+deb12u1 Fixed version 4.19.0-2+deb12u1 Description A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. libtasn1-6 4.20.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095406) https://www.openwall.com/lists/oss-security/2025/02/06/6 https://gitlab.com/gnutls/libtasn1/-/issues/52 https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0) https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0) https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html

libcap2 1:2.66-4 (deb) pkg:deb/debian/libcap2@1:2.66-4?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:2.66-4+deb12u1 Fixed version 1:2.66-4+deb12u1 Description The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap2 1:2.73-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318) [bookworm] - libcap2 1:2.66-4+deb12u1 https://bugzilla.openanolis.cn/show_bug.cgi?id=18804 Fixed by: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (cap/v1.2.74-rc4)

systemd 252.33-1~deb12u1 (deb) pkg:deb/debian/systemd@252.33-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.38-1~deb12u1 Fixed version 252.38-1~deb12u1 Description A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. systemd 257.6-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106785) https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt For a comprehensive fix a kernel change is required (to hand a pidfd to the usermode coredump helper): https://git.kernel.org/linus/b5325b2a270fcaf7b2a9a0f23d422ca8a5a8bdea Backports (src:linux): https://lore.kernel.org/linux-fsdevel/CAMw=ZnT4KSk_+Z422mEZVzfAkTueKvzdw=r9ZB2JKg5-1t6BDw@mail.gmail.com/ Fixed by: systemd/systemd@49f1f2d (main) Fixed by: systemd/systemd@0c49e00 (main) Fixed by: systemd/systemd@8fc7b2a (main) Follow up (optional): systemd/systemd@13902e0 (main) Follow up (optional): systemd/systemd@868d955 (main) Follow up (optional): systemd/systemd@e6a8687 (main) Follow up (optional): systemd/systemd@76e0ab4 (main) Follow up (optional): systemd/systemd@9ce8e3e (main) Fixed by: systemd/systemd@0c49e00 (v258) Fixed by: systemd/systemd@868d955 (v258) Fixed by: systemd/systemd@c58a8a6 (v257.6) Fixed by: systemd/systemd@6155669 (v257.6) Fixed by: systemd/systemd@19d4391 (v256.16) Fixed by: systemd/systemd-stable@254ab8d (v255.21) Fixed by: systemd/systemd-stable@7fc7aa5 (v254.26) Fixed by: systemd/systemd-stable@19b2286 (v253.33) Fixed by: systemd/systemd-stable@2eb46dc (v252.38)

gnutls28 3.7.9-2+deb12u3 (deb) pkg:deb/debian/gnutls28@3.7.9-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u4 Fixed version 3.7.9-2+deb12u4 Description A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. [experimental] - gnutls28 3.8.9-1 gnutls28 3.8.9-2 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-02-07 https://lists.gnupg.org/pipermail/gnutls-help/2025-February/004875.html https://gitlab.com/gnutls/gnutls/-/issues/1553 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (3.8.9)

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/p7zip@16.02+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. 7zip 24.08+dfsg-1 (unimportant) p7zip 16.02+transitional.1 (unimportant) Crash in CLI tool, no security impact https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 7zip 24.05+dfsg-1 (unimportant) [bookworm] - 7zip 22.01+dfsg-8+deb12u1 Crash in CLI tool, no security impact p7zip 16.02+transitional.1 (unimportant) https://sourceforge.net/p/sevenzip/bugs/2402/ https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ https://www.openwall.com/lists/oss-security/2024/07/03/10 Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving stream flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving block flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp. p7zip (unimportant) https://sourceforge.net/p/p7zip/bugs/241/ Crash in CLI tool, no security impact

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/openldap@2.5.13+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

krb5 1.20.1-2+deb12u3 (deb) pkg:deb/debian/krb5@1.20.1-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

curl 7.88.1-10+deb12u12 (deb) pkg:deb/debian/curl@7.88.1-10+deb12u12?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. curl 8.12.0+git20250209.89ed161+ds-1 (unimportant) https://curl.se/docs/CVE-2025-0725.html Introduced with: curl/curl@019c408 (curl-7_10_5) Fixed by: curl/curl@76f83f0 (curl-8_12_0) Patch only drops officially support for zlib before 1.2.0.4 Can only be triggered when using ancient runtime zlib of version 1.2.0.3 or older Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. curl 8.7.1-1 (unimportant) https://curl.se/docs/CVE-2024-2379.html Introduced by: curl/curl@5d044ad (curl-8_6_0) Fixed by: curl/curl@aedbbdf (curl-8_7_0) curl in Debian not built with wolfSSL support

coreutils 9.1-1 (deb) pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

xz-utils 5.4.1-0.2 (deb) pkg:deb/debian/xz-utils@5.4.1-0.2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.4.1-1 Fixed version 5.4.1-1 Description XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. xz-utils 5.8.1-1 [bullseye] - xz-utils (Vulnerable code introduced later) https://www.openwall.com/lists/oss-security/2025/04/03/1 https://tukaani.org/xz/threaded-decoder-early-free.html GHSA-6cc8-p5mm-29w2

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/perl@5.36.0-7+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.36.0-7+deb12u2 Fixed version 5.36.0-7+deb12u2 Description A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. perl 5.40.1-3 [bullseye] - perl (Vulnerable code introduced later) https://lists.security.metacpan.org/cve-announce/msg/28708725/ Introduced by: Perl/perl5@a311ee0 (v5.33.1) Fixed by: Perl/perl5@87f42aa

util-linux 2.38.1-5+deb12u3 (deb) pkg:deb/debian/util-linux@2.38.1-5+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5+deb12u3 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/tar@1.34+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

apt 2.6.1 (deb) pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

openssl 3.0.16-1~deb12u1 (deb) pkg:deb/debian/openssl@3.0.16-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

gcc-12 12.2.0-14 (deb) pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12 Affected range <12.2.0-14+deb12u1 Fixed version 12.2.0-14+deb12u1 Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. gcc-13 13.2.0-4 (unimportant) gcc-12 12.3.0-9 (unimportant) [bookworm] - gcc-12 12.2.0-14+deb12u1 gcc-11 11.4.0-4 (unimportant) gcc-10 10.5.0-3 (unimportant) gcc-9 9.5.0-6 (unimportant) gcc-8 (unimportant) gcc-7 (unimportant) GHSA-x7ch-h5rf-w2mf Not considered a security issue by GCC upstream https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

[github-actions]

Outdated

Recommended fixes for image nam20485/odbdesign:pr-398

Base image is debian:12-slim

Name	bookworm-20250203-slim
Digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
Vulnerabilities
Pushed	4 months ago
Size	28 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as:	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB OS: 12	3 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250610-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12.11-slim Image introduces 12 low vulnerabilities Also known as: bookworm-slim	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12 Tag is latest Also known as: bookworm bookworm-20250610 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	4 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of nam20485/odbdesign:pr-398

📦 Image Reference nam20485/odbdesign:pr-398

digest	sha256:a180a17a08dad1099fbb8c7891074a2afcfe8b46b7750fb15831b25542552464
vulnerabilities
platform	linux/amd64
size	52 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.9-slim bookworm-20250203-slim bookworm-slim
digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
vulnerabilities

glibc 2.36-9+deb12u9 (deb) pkg:deb/debian/glibc@2.36-9+deb12u9?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u10 Fixed version 2.36-9+deb12u10 Description When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. glibc 2.40-6 [bookworm] - glibc 2.36-9+deb12u10 https://sourceware.org/bugzilla/show_bug.cgi?id=32582 https://www.openwall.com/lists/oss-security/2025/01/22/4 Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch) Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 (2.36-branch) https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001 https://sourceware.org/pipermail/libc-announce/2025/000044.html

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2215945 shadow-maint/shadow@65c88a4 (4.14.0-rc1) Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034482) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) Control character check shadow-maint/shadow#687 Fixed by: shadow-maint/shadow@e5905c4 (4.14.0-rc1) Regression fix: shadow-maint/shadow@2eaea70 (4.14.0-rc1) https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/

systemd 252.33-1~deb12u1 (deb) pkg:deb/debian/systemd@252.33-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.38-1~deb12u1 Fixed version 252.38-1~deb12u1 Description A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. systemd 257.6-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106785) https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt For a comprehensive fix a kernel change is required (to hand a pidfd to the usermode coredump helper): https://git.kernel.org/linus/b5325b2a270fcaf7b2a9a0f23d422ca8a5a8bdea Backports (src:linux): https://lore.kernel.org/linux-fsdevel/CAMw=ZnT4KSk_+Z422mEZVzfAkTueKvzdw=r9ZB2JKg5-1t6BDw@mail.gmail.com/ Fixed by: systemd/systemd@49f1f2d (main) Fixed by: systemd/systemd@0c49e00 (main) Fixed by: systemd/systemd@8fc7b2a (main) Follow up (optional): systemd/systemd@13902e0 (main) Follow up (optional): systemd/systemd@868d955 (main) Follow up (optional): systemd/systemd@e6a8687 (main) Follow up (optional): systemd/systemd@76e0ab4 (main) Follow up (optional): systemd/systemd@9ce8e3e (main) Fixed by: systemd/systemd@0c49e00 (v258) Fixed by: systemd/systemd@868d955 (v258) Fixed by: systemd/systemd@c58a8a6 (v257.6) Fixed by: systemd/systemd@6155669 (v257.6) Fixed by: systemd/systemd@19d4391 (v256.16) Fixed by: systemd/systemd-stable@254ab8d (v255.21) Fixed by: systemd/systemd-stable@7fc7aa5 (v254.26) Fixed by: systemd/systemd-stable@19b2286 (v253.33) Fixed by: systemd/systemd-stable@2eb46dc (v252.38)

gnutls28 3.7.9-2+deb12u3 (deb) pkg:deb/debian/gnutls28@3.7.9-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u4 Fixed version 3.7.9-2+deb12u4 Description A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. [experimental] - gnutls28 3.8.9-1 gnutls28 3.8.9-2 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-02-07 https://lists.gnupg.org/pipermail/gnutls-help/2025-February/004875.html https://gitlab.com/gnutls/gnutls/-/issues/1553 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (3.8.9)

libtasn1-6 4.19.0-2 (deb) pkg:deb/debian/libtasn1-6@4.19.0-2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <4.19.0-2+deb12u1 Fixed version 4.19.0-2+deb12u1 Description A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. libtasn1-6 4.20.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095406) https://www.openwall.com/lists/oss-security/2025/02/06/6 https://gitlab.com/gnutls/libtasn1/-/issues/52 https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0) https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0) https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html

libcap2 1:2.66-4 (deb) pkg:deb/debian/libcap2@1:2.66-4?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:2.66-4+deb12u1 Fixed version 1:2.66-4+deb12u1 Description The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap2 1:2.73-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318) [bookworm] - libcap2 1:2.66-4+deb12u1 https://bugzilla.openanolis.cn/show_bug.cgi?id=18804 Fixed by: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (cap/v1.2.74-rc4)

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/p7zip@16.02+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. 7zip 24.08+dfsg-1 (unimportant) p7zip 16.02+transitional.1 (unimportant) Crash in CLI tool, no security impact https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 7zip 24.05+dfsg-1 (unimportant) [bookworm] - 7zip 22.01+dfsg-8+deb12u1 Crash in CLI tool, no security impact p7zip 16.02+transitional.1 (unimportant) https://sourceforge.net/p/sevenzip/bugs/2402/ https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ https://www.openwall.com/lists/oss-security/2024/07/03/10 Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving stream flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving block flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp. p7zip (unimportant) https://sourceforge.net/p/p7zip/bugs/241/ Crash in CLI tool, no security impact

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/openldap@2.5.13+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

krb5 1.20.1-2+deb12u3 (deb) pkg:deb/debian/krb5@1.20.1-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

coreutils 9.1-1 (deb) pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

curl 7.88.1-10+deb12u12 (deb) pkg:deb/debian/curl@7.88.1-10+deb12u12?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. curl 8.12.0+git20250209.89ed161+ds-1 (unimportant) https://curl.se/docs/CVE-2025-0725.html Introduced with: curl/curl@019c408 (curl-7_10_5) Fixed by: curl/curl@76f83f0 (curl-8_12_0) Patch only drops officially support for zlib before 1.2.0.4 Can only be triggered when using ancient runtime zlib of version 1.2.0.3 or older Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. curl 8.7.1-1 (unimportant) https://curl.se/docs/CVE-2024-2379.html Introduced by: curl/curl@5d044ad (curl-8_6_0) Fixed by: curl/curl@aedbbdf (curl-8_7_0) curl in Debian not built with wolfSSL support

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/perl@5.36.0-7+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.36.0-7+deb12u2 Fixed version 5.36.0-7+deb12u2 Description A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. perl 5.40.1-3 [bullseye] - perl (Vulnerable code introduced later) https://lists.security.metacpan.org/cve-announce/msg/28708725/ Introduced by: Perl/perl5@a311ee0 (v5.33.1) Fixed by: Perl/perl5@87f42aa

apt 2.6.1 (deb) pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

openssl 3.0.16-1~deb12u1 (deb) pkg:deb/debian/openssl@3.0.16-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

xz-utils 5.4.1-0.2 (deb) pkg:deb/debian/xz-utils@5.4.1-0.2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.4.1-1 Fixed version 5.4.1-1 Description XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. xz-utils 5.8.1-1 [bullseye] - xz-utils (Vulnerable code introduced later) https://www.openwall.com/lists/oss-security/2025/04/03/1 https://tukaani.org/xz/threaded-decoder-early-free.html GHSA-6cc8-p5mm-29w2

gcc-12 12.2.0-14 (deb) pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12 Affected range <12.2.0-14+deb12u1 Fixed version 12.2.0-14+deb12u1 Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. gcc-13 13.2.0-4 (unimportant) gcc-12 12.3.0-9 (unimportant) [bookworm] - gcc-12 12.2.0-14+deb12u1 gcc-11 11.4.0-4 (unimportant) gcc-10 10.5.0-3 (unimportant) gcc-9 9.5.0-6 (unimportant) gcc-8 (unimportant) gcc-7 (unimportant) GHSA-x7ch-h5rf-w2mf Not considered a security issue by GCC upstream https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

util-linux 2.38.1-5+deb12u3 (deb) pkg:deb/debian/util-linux@2.38.1-5+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5+deb12u3 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/tar@1.34+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

[github-actions]

Outdated

Recommended fixes for image nam20485/odbdesign:pr-398

Base image is debian:12-slim

Name	bookworm-20250203-slim
Digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
Vulnerabilities
Pushed	4 months ago
Size	28 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as:	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB OS: 12	3 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250610-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12.11-slim Image introduces 12 low vulnerabilities Also known as: bookworm-slim	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12 Tag is latest Also known as: bookworm bookworm-20250610 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	4 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of nam20485/odbdesign:pr-398

📦 Image Reference nam20485/odbdesign:pr-398

digest	sha256:aded50e84bd3c93659ec7068a4bd29af26f75314b6430bee6cb060274e8d93d6
vulnerabilities
platform	linux/amd64
size	52 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.9-slim bookworm-20250203-slim bookworm-slim
digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
vulnerabilities

glibc 2.36-9+deb12u9 (deb) pkg:deb/debian/glibc@2.36-9+deb12u9?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u10 Fixed version 2.36-9+deb12u10 Description When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. glibc 2.40-6 [bookworm] - glibc 2.36-9+deb12u10 https://sourceware.org/bugzilla/show_bug.cgi?id=32582 https://www.openwall.com/lists/oss-security/2025/01/22/4 Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch) Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 (2.36-branch) https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001 https://sourceware.org/pipermail/libc-announce/2025/000044.html

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2215945 shadow-maint/shadow@65c88a4 (4.14.0-rc1) Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034482) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) Control character check shadow-maint/shadow#687 Fixed by: shadow-maint/shadow@e5905c4 (4.14.0-rc1) Regression fix: shadow-maint/shadow@2eaea70 (4.14.0-rc1) https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/

gnutls28 3.7.9-2+deb12u3 (deb) pkg:deb/debian/gnutls28@3.7.9-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u4 Fixed version 3.7.9-2+deb12u4 Description A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. [experimental] - gnutls28 3.8.9-1 gnutls28 3.8.9-2 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-02-07 https://lists.gnupg.org/pipermail/gnutls-help/2025-February/004875.html https://gitlab.com/gnutls/gnutls/-/issues/1553 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (3.8.9)

libcap2 1:2.66-4 (deb) pkg:deb/debian/libcap2@1:2.66-4?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:2.66-4+deb12u1 Fixed version 1:2.66-4+deb12u1 Description The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap2 1:2.73-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318) [bookworm] - libcap2 1:2.66-4+deb12u1 https://bugzilla.openanolis.cn/show_bug.cgi?id=18804 Fixed by: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (cap/v1.2.74-rc4)

systemd 252.33-1~deb12u1 (deb) pkg:deb/debian/systemd@252.33-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.38-1~deb12u1 Fixed version 252.38-1~deb12u1 Description A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. systemd 257.6-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106785) https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt For a comprehensive fix a kernel change is required (to hand a pidfd to the usermode coredump helper): https://git.kernel.org/linus/b5325b2a270fcaf7b2a9a0f23d422ca8a5a8bdea Backports (src:linux): https://lore.kernel.org/linux-fsdevel/CAMw=ZnT4KSk_+Z422mEZVzfAkTueKvzdw=r9ZB2JKg5-1t6BDw@mail.gmail.com/ Fixed by: systemd/systemd@49f1f2d (main) Fixed by: systemd/systemd@0c49e00 (main) Fixed by: systemd/systemd@8fc7b2a (main) Follow up (optional): systemd/systemd@13902e0 (main) Follow up (optional): systemd/systemd@868d955 (main) Follow up (optional): systemd/systemd@e6a8687 (main) Follow up (optional): systemd/systemd@76e0ab4 (main) Follow up (optional): systemd/systemd@9ce8e3e (main) Fixed by: systemd/systemd@0c49e00 (v258) Fixed by: systemd/systemd@868d955 (v258) Fixed by: systemd/systemd@c58a8a6 (v257.6) Fixed by: systemd/systemd@6155669 (v257.6) Fixed by: systemd/systemd@19d4391 (v256.16) Fixed by: systemd/systemd-stable@254ab8d (v255.21) Fixed by: systemd/systemd-stable@7fc7aa5 (v254.26) Fixed by: systemd/systemd-stable@19b2286 (v253.33) Fixed by: systemd/systemd-stable@2eb46dc (v252.38)

libtasn1-6 4.19.0-2 (deb) pkg:deb/debian/libtasn1-6@4.19.0-2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <4.19.0-2+deb12u1 Fixed version 4.19.0-2+deb12u1 Description A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. libtasn1-6 4.20.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095406) https://www.openwall.com/lists/oss-security/2025/02/06/6 https://gitlab.com/gnutls/libtasn1/-/issues/52 https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0) https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0) https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/p7zip@16.02+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. 7zip 24.08+dfsg-1 (unimportant) p7zip 16.02+transitional.1 (unimportant) Crash in CLI tool, no security impact https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 7zip 24.05+dfsg-1 (unimportant) [bookworm] - 7zip 22.01+dfsg-8+deb12u1 Crash in CLI tool, no security impact p7zip 16.02+transitional.1 (unimportant) https://sourceforge.net/p/sevenzip/bugs/2402/ https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ https://www.openwall.com/lists/oss-security/2024/07/03/10 Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving stream flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving block flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp. p7zip (unimportant) https://sourceforge.net/p/p7zip/bugs/241/ Crash in CLI tool, no security impact

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/openldap@2.5.13+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

krb5 1.20.1-2+deb12u3 (deb) pkg:deb/debian/krb5@1.20.1-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

coreutils 9.1-1 (deb) pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

curl 7.88.1-10+deb12u12 (deb) pkg:deb/debian/curl@7.88.1-10+deb12u12?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. curl 8.12.0+git20250209.89ed161+ds-1 (unimportant) https://curl.se/docs/CVE-2025-0725.html Introduced with: curl/curl@019c408 (curl-7_10_5) Fixed by: curl/curl@76f83f0 (curl-8_12_0) Patch only drops officially support for zlib before 1.2.0.4 Can only be triggered when using ancient runtime zlib of version 1.2.0.3 or older Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. curl 8.7.1-1 (unimportant) https://curl.se/docs/CVE-2024-2379.html Introduced by: curl/curl@5d044ad (curl-8_6_0) Fixed by: curl/curl@aedbbdf (curl-8_7_0) curl in Debian not built with wolfSSL support

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/tar@1.34+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

xz-utils 5.4.1-0.2 (deb) pkg:deb/debian/xz-utils@5.4.1-0.2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.4.1-1 Fixed version 5.4.1-1 Description XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. xz-utils 5.8.1-1 [bullseye] - xz-utils (Vulnerable code introduced later) https://www.openwall.com/lists/oss-security/2025/04/03/1 https://tukaani.org/xz/threaded-decoder-early-free.html GHSA-6cc8-p5mm-29w2

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/perl@5.36.0-7+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.36.0-7+deb12u2 Fixed version 5.36.0-7+deb12u2 Description A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. perl 5.40.1-3 [bullseye] - perl (Vulnerable code introduced later) https://lists.security.metacpan.org/cve-announce/msg/28708725/ Introduced by: Perl/perl5@a311ee0 (v5.33.1) Fixed by: Perl/perl5@87f42aa

openssl 3.0.16-1~deb12u1 (deb) pkg:deb/debian/openssl@3.0.16-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

util-linux 2.38.1-5+deb12u3 (deb) pkg:deb/debian/util-linux@2.38.1-5+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5+deb12u3 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

gcc-12 12.2.0-14 (deb) pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12 Affected range <12.2.0-14+deb12u1 Fixed version 12.2.0-14+deb12u1 Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. gcc-13 13.2.0-4 (unimportant) gcc-12 12.3.0-9 (unimportant) [bookworm] - gcc-12 12.2.0-14+deb12u1 gcc-11 11.4.0-4 (unimportant) gcc-10 10.5.0-3 (unimportant) gcc-9 9.5.0-6 (unimportant) gcc-8 (unimportant) gcc-7 (unimportant) GHSA-x7ch-h5rf-w2mf Not considered a security issue by GCC upstream https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

apt 2.6.1 (deb) pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

[github-actions]

Outdated

Recommended fixes for image nam20485/odbdesign:pr-398

Base image is debian:12-slim

Name	bookworm-20250203-slim
Digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
Vulnerabilities
Pushed	4 months ago
Size	28 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as:	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB OS: 12	3 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250610-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12.11-slim Image introduces 12 low vulnerabilities Also known as: bookworm-slim	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12 Tag is latest Also known as: bookworm bookworm-20250610 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	4 days ago

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Vulnerabilities of nam20485/odbdesign:pr-398

📦 Image Reference nam20485/odbdesign:pr-398

digest	sha256:f190d15852cd7d43822fc6067965c1d86d55b3c1c67af2020073387ac18bbd4b
vulnerabilities
platform	linux/amd64
size	52 MB
packages	155

📦 Base Image debian:12-slim

also known as	12.9-slim bookworm-20250203-slim bookworm-slim
digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
vulnerabilities

glibc 2.36-9+deb12u9 (deb) pkg:deb/debian/glibc@2.36-9+deb12u9?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u10 Fixed version 2.36-9+deb12u10 Description When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. glibc 2.40-6 [bookworm] - glibc 2.36-9+deb12u10 https://sourceware.org/bugzilla/show_bug.cgi?id=32582 https://www.openwall.com/lists/oss-security/2025/01/22/4 Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch) Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 (2.36-branch) https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001 https://sourceware.org/pipermail/libc-announce/2025/000044.html

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2215945 shadow-maint/shadow@65c88a4 (4.14.0-rc1) Affected range <1:4.13+dfsg1-1+deb12u1 Fixed version 1:4.13+dfsg1-1+deb12u1 Description In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. shadow 1:4.13+dfsg1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034482) [bookworm] - shadow 1:4.13+dfsg1-1+deb12u1 [buster] - shadow (Minor issue) Control character check shadow-maint/shadow#687 Fixed by: shadow-maint/shadow@e5905c4 (4.14.0-rc1) Regression fix: shadow-maint/shadow@2eaea70 (4.14.0-rc1) https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/

systemd 252.33-1~deb12u1 (deb) pkg:deb/debian/systemd@252.33-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.38-1~deb12u1 Fixed version 252.38-1~deb12u1 Description A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. systemd 257.6-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106785) https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt For a comprehensive fix a kernel change is required (to hand a pidfd to the usermode coredump helper): https://git.kernel.org/linus/b5325b2a270fcaf7b2a9a0f23d422ca8a5a8bdea Backports (src:linux): https://lore.kernel.org/linux-fsdevel/CAMw=ZnT4KSk_+Z422mEZVzfAkTueKvzdw=r9ZB2JKg5-1t6BDw@mail.gmail.com/ Fixed by: systemd/systemd@49f1f2d (main) Fixed by: systemd/systemd@0c49e00 (main) Fixed by: systemd/systemd@8fc7b2a (main) Follow up (optional): systemd/systemd@13902e0 (main) Follow up (optional): systemd/systemd@868d955 (main) Follow up (optional): systemd/systemd@e6a8687 (main) Follow up (optional): systemd/systemd@76e0ab4 (main) Follow up (optional): systemd/systemd@9ce8e3e (main) Fixed by: systemd/systemd@0c49e00 (v258) Fixed by: systemd/systemd@868d955 (v258) Fixed by: systemd/systemd@c58a8a6 (v257.6) Fixed by: systemd/systemd@6155669 (v257.6) Fixed by: systemd/systemd@19d4391 (v256.16) Fixed by: systemd/systemd-stable@254ab8d (v255.21) Fixed by: systemd/systemd-stable@7fc7aa5 (v254.26) Fixed by: systemd/systemd-stable@19b2286 (v253.33) Fixed by: systemd/systemd-stable@2eb46dc (v252.38)

libtasn1-6 4.19.0-2 (deb) pkg:deb/debian/libtasn1-6@4.19.0-2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <4.19.0-2+deb12u1 Fixed version 4.19.0-2+deb12u1 Description A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. libtasn1-6 4.20.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095406) https://www.openwall.com/lists/oss-security/2025/02/06/6 https://gitlab.com/gnutls/libtasn1/-/issues/52 https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0) https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0) https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html

libcap2 1:2.66-4 (deb) pkg:deb/debian/libcap2@1:2.66-4?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1:2.66-4+deb12u1 Fixed version 1:2.66-4+deb12u1 Description The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap2 1:2.73-4 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098318) [bookworm] - libcap2 1:2.66-4+deb12u1 https://bugzilla.openanolis.cn/show_bug.cgi?id=18804 Fixed by: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (cap/v1.2.74-rc4)

gnutls28 3.7.9-2+deb12u3 (deb) pkg:deb/debian/gnutls28@3.7.9-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u4 Fixed version 3.7.9-2+deb12u4 Description A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. [experimental] - gnutls28 3.8.9-1 gnutls28 3.8.9-2 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-02-07 https://lists.gnupg.org/pipermail/gnutls-help/2025-February/004875.html https://gitlab.com/gnutls/gnutls/-/issues/1553 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 (3.8.9)

p7zip 16.02+dfsg-8 (deb) pkg:deb/debian/p7zip@16.02+dfsg-8?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307. 7zip 24.08+dfsg-1 (unimportant) p7zip 16.02+transitional.1 (unimportant) Crash in CLI tool, no security impact https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. 7zip 24.05+dfsg-1 (unimportant) [bookworm] - 7zip 22.01+dfsg-8+deb12u1 Crash in CLI tool, no security impact p7zip 16.02+transitional.1 (unimportant) https://sourceforge.net/p/sevenzip/bugs/2402/ https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ https://www.openwall.com/lists/oss-security/2024/07/03/10 Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving stream flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description 7-Zip 22.01 does not report an error for certain invalid xz files, involving block flags and reserved bits. Some later versions are unaffected. 7zip (unimportant) p7zip 16.02+transitional.1 (unimportant) Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package depending on 7zip. Mark this version as fixed version. https://github.com/boofish/semantic-bugs/ Negligible security impact Affected range >=16.02+dfsg-8 Fixed version Not Fixed Description p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp. p7zip (unimportant) https://sourceforge.net/p/p7zip/bugs/241/ Crash in CLI tool, no security impact

openldap 2.5.13+dfsg-5 (deb) pkg:deb/debian/openldap@2.5.13+dfsg-5?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >=2.5.13+dfsg-5 Fixed version Not Fixed Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

krb5 1.20.1-2+deb12u3 (deb) pkg:deb/debian/krb5@1.20.1-2+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.20.1-2+deb12u3 Fixed version Not Fixed Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

curl 7.88.1-10+deb12u12 (deb) pkg:deb/debian/curl@7.88.1-10+deb12u12?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. curl 8.12.0+git20250209.89ed161+ds-1 (unimportant) https://curl.se/docs/CVE-2025-0725.html Introduced with: curl/curl@019c408 (curl-7_10_5) Fixed by: curl/curl@76f83f0 (curl-8_12_0) Patch only drops officially support for zlib before 1.2.0.4 Can only be triggered when using ancient runtime zlib of version 1.2.0.3 or older Affected range >=7.88.1-10+deb12u12 Fixed version Not Fixed Description libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. curl 8.7.1-1 (unimportant) https://curl.se/docs/CVE-2024-2379.html Introduced by: curl/curl@5d044ad (curl-8_6_0) Fixed by: curl/curl@aedbbdf (curl-8_7_0) curl in Debian not built with wolfSSL support

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683) https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt https://people.redhat.com/~hkario/marvin/ https://dev.gnupg.org/T7136 https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17 Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. libgcrypt20 (unimportant) libgcrypt11 (unimportant) gnupg1 (unimportant) gnupg (unimportant) https://github.com/weikengchen/attack-on-libgcrypt-elgamal https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html GnuPG uses ElGamal in hybrid mode only. This is not a vulnerability in libgcrypt, but in an application using it in an insecure manner, see also https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

coreutils 9.1-1 (deb) pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

util-linux 2.38.1-5+deb12u3 (deb) pkg:deb/debian/util-linux@2.38.1-5+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5+deb12u3 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

xz-utils 5.4.1-0.2 (deb) pkg:deb/debian/xz-utils@5.4.1-0.2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.4.1-1 Fixed version 5.4.1-1 Description XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. xz-utils 5.8.1-1 [bullseye] - xz-utils (Vulnerable code introduced later) https://www.openwall.com/lists/oss-security/2025/04/03/1 https://tukaani.org/xz/threaded-decoder-early-free.html GHSA-6cc8-p5mm-29w2

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. gnupg2 (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2127010 https://dev.gnupg.org/D556 https://dev.gnupg.org/T5993 https://www.openwall.com/lists/oss-security/2022/07/04/8 GnuPG upstream is not implementing this change.

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/perl@5.36.0-7+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <5.36.0-7+deb12u2 Fixed version 5.36.0-7+deb12u2 Description A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. perl 5.40.1-3 [bullseye] - perl (Vulnerable code introduced later) https://lists.security.metacpan.org/cve-announce/msg/28708725/ Introduced by: Perl/perl5@a311ee0 (v5.33.1) Fixed by: Perl/perl5@87f42aa

openssl 3.0.16-1~deb12u1 (deb) pkg:deb/debian/openssl@3.0.16-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=3.0.11-1~deb12u2 Fixed version Not Fixed Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

apt 2.6.1 (deb) pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

gcc-12 12.2.0-14 (deb) pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12 Affected range <12.2.0-14+deb12u1 Fixed version 12.2.0-14+deb12u1 Description DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. gcc-13 13.2.0-4 (unimportant) gcc-12 12.3.0-9 (unimportant) [bookworm] - gcc-12 12.2.0-14+deb12u1 gcc-11 11.4.0-4 (unimportant) gcc-10 10.5.0-3 (unimportant) gcc-9 9.5.0-6 (unimportant) gcc-8 (unimportant) gcc-7 (unimportant) GHSA-x7ch-h5rf-w2mf Not considered a security issue by GCC upstream https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

tar 1.34+dfsg-1.2+deb12u1 (deb) pkg:deb/debian/tar@1.34+dfsg-1.2+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.34+dfsg-1.2+deb12u1 Fixed version Not Fixed Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

[github-actions]

Recommended fixes for image nam20485/odbdesign:pr-398

Base image is debian:12-slim

Name	bookworm-20250203-slim
Digest	sha256:44bccdd61bf09a081b1db8c61cf49bfabf30ac7afcc970010137c0ab587b209c
Vulnerabilities
Pushed	4 months ago
Size	28 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as:	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB OS: 12	3 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20250610-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12.11-slim Image introduces 12 low vulnerabilities Also known as: bookworm-slim	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	4 days ago
12 Tag is latest Also known as: bookworm bookworm-20250610 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 48 MB Flavor: debian OS: 12	4 days ago