Skip to content
Snippets Groups Projects

test:container_scanning

Passed Started by
Gabriel Mazetto
@brodock
1Running with gitlab-runner 12.10.0-rc2 (6c8c540f)
2 on docker-auto-scale 0277ea0f
3 Preparing the "docker+machine" executor 00:48
4Using Docker executor with image docker:19.03.0 ...
5Starting service docker:19.03.0-dind ...
6Pulling docker image docker:19.03.0-dind ...
7Using docker image sha256:fd0c64832f7e46b63a180e6000dbba7ad7a63542c5764841cba73429ba74a39e for docker:19.03.0-dind ...
8Waiting for services to be up and running...
9*** WARNING: Service runner-0277ea0f-project-74823-concurrent-0-c466335234ad3fff-docker-0 probably didn't start properly.
10Health check error:
11service "runner-0277ea0f-project-74823-concurrent-0-c466335234ad3fff-docker-0-wait-for-service" timeout
12Health check container logs:
13Service container logs:
142020-04-29T19:26:54.106397353Z time="2020-04-29T19:26:54.102972744Z" level=info msg="Starting up"
152020-04-29T19:26:54.106450027Z time="2020-04-29T19:26:54.104201876Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
162020-04-29T19:26:54.106454450Z time="2020-04-29T19:26:54.104448422Z" level=warning msg="[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]"
172020-04-29T19:26:54.106457939Z time="2020-04-29T19:26:54.105357164Z" level=info msg="libcontainerd: started new containerd process" pid=16
182020-04-29T19:26:54.106461279Z time="2020-04-29T19:26:54.105392614Z" level=info msg="parsed scheme: \"unix\"" module=grpc
192020-04-29T19:26:54.106464651Z time="2020-04-29T19:26:54.105400573Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
202020-04-29T19:26:54.106468142Z time="2020-04-29T19:26:54.105418632Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] }" module=grpc
212020-04-29T19:26:54.106472032Z time="2020-04-29T19:26:54.105427861Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
222020-04-29T19:26:54.106475915Z time="2020-04-29T19:26:54.105484790Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc0005dd850, CONNECTING" module=grpc
232020-04-29T19:26:54.144426914Z time="2020-04-29T19:26:54.143635873Z" level=info msg="starting containerd" revision=894b81a4b802e4eb2a91d1ce216b8817763c29fb version=v1.2.6
242020-04-29T19:26:54.144444666Z time="2020-04-29T19:26:54.143951851Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." type=io.containerd.content.v1
252020-04-29T19:26:54.144448826Z time="2020-04-29T19:26:54.144022747Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." type=io.containerd.snapshotter.v1
262020-04-29T19:26:54.144453146Z time="2020-04-29T19:26:54.144201522Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.btrfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
272020-04-29T19:26:54.144459652Z time="2020-04-29T19:26:54.144213332Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.aufs"..." type=io.containerd.snapshotter.v1
282020-04-29T19:26:54.156535177Z time="2020-04-29T19:26:54.155752043Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.aufs" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
292020-04-29T19:26:54.156551977Z time="2020-04-29T19:26:54.155774634Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.native"..." type=io.containerd.snapshotter.v1
302020-04-29T19:26:54.156556222Z time="2020-04-29T19:26:54.155881270Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.overlayfs"..." type=io.containerd.snapshotter.v1
312020-04-29T19:26:54.156559765Z time="2020-04-29T19:26:54.156018063Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
322020-04-29T19:26:54.156563427Z time="2020-04-29T19:26:54.156212695Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.zfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter"
332020-04-29T19:26:54.156572032Z time="2020-04-29T19:26:54.156221801Z" level=info msg="loading plugin "io.containerd.metadata.v1.bolt"..." type=io.containerd.metadata.v1
342020-04-29T19:26:54.156584917Z time="2020-04-29T19:26:54.156299648Z" level=warning msg="could not use snapshotter btrfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
352020-04-29T19:26:54.156588508Z time="2020-04-29T19:26:54.156307979Z" level=warning msg="could not use snapshotter aufs in metadata plugin" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
362020-04-29T19:26:54.156592307Z time="2020-04-29T19:26:54.156315042Z" level=warning msg="could not use snapshotter zfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter"
372020-04-29T19:26:54.166359928Z time="2020-04-29T19:26:54.163231858Z" level=info msg="loading plugin "io.containerd.differ.v1.walking"..." type=io.containerd.differ.v1
382020-04-29T19:26:54.166377218Z time="2020-04-29T19:26:54.163270983Z" level=info msg="loading plugin "io.containerd.gc.v1.scheduler"..." type=io.containerd.gc.v1
392020-04-29T19:26:54.166381248Z time="2020-04-29T19:26:54.163299864Z" level=info msg="loading plugin "io.containerd.service.v1.containers-service"..." type=io.containerd.service.v1
402020-04-29T19:26:54.166395817Z time="2020-04-29T19:26:54.163310744Z" level=info msg="loading plugin "io.containerd.service.v1.content-service"..." type=io.containerd.service.v1
412020-04-29T19:26:54.166399452Z time="2020-04-29T19:26:54.163320819Z" level=info msg="loading plugin "io.containerd.service.v1.diff-service"..." type=io.containerd.service.v1
422020-04-29T19:26:54.166402791Z time="2020-04-29T19:26:54.163331895Z" level=info msg="loading plugin "io.containerd.service.v1.images-service"..." type=io.containerd.service.v1
432020-04-29T19:26:54.166406024Z time="2020-04-29T19:26:54.163343599Z" level=info msg="loading plugin "io.containerd.service.v1.leases-service"..." type=io.containerd.service.v1
442020-04-29T19:26:54.166409166Z time="2020-04-29T19:26:54.163353812Z" level=info msg="loading plugin "io.containerd.service.v1.namespaces-service"..." type=io.containerd.service.v1
452020-04-29T19:26:54.166412289Z time="2020-04-29T19:26:54.163364633Z" level=info msg="loading plugin "io.containerd.service.v1.snapshots-service"..." type=io.containerd.service.v1
462020-04-29T19:26:54.166415876Z time="2020-04-29T19:26:54.163375251Z" level=info msg="loading plugin "io.containerd.runtime.v1.linux"..." type=io.containerd.runtime.v1
472020-04-29T19:26:54.166419335Z time="2020-04-29T19:26:54.163571415Z" level=info msg="loading plugin "io.containerd.runtime.v2.task"..." type=io.containerd.runtime.v2
482020-04-29T19:26:54.166422622Z time="2020-04-29T19:26:54.163669347Z" level=info msg="loading plugin "io.containerd.monitor.v1.cgroups"..." type=io.containerd.monitor.v1
492020-04-29T19:26:54.166433464Z time="2020-04-29T19:26:54.163990218Z" level=info msg="loading plugin "io.containerd.service.v1.tasks-service"..." type=io.containerd.service.v1
502020-04-29T19:26:54.166436903Z time="2020-04-29T19:26:54.164017364Z" level=info msg="loading plugin "io.containerd.internal.v1.restart"..." type=io.containerd.internal.v1
512020-04-29T19:26:54.166440795Z time="2020-04-29T19:26:54.164054830Z" level=info msg="loading plugin "io.containerd.grpc.v1.containers"..." type=io.containerd.grpc.v1
522020-04-29T19:26:54.166444190Z time="2020-04-29T19:26:54.164066066Z" level=info msg="loading plugin "io.containerd.grpc.v1.content"..." type=io.containerd.grpc.v1
532020-04-29T19:26:54.166447497Z time="2020-04-29T19:26:54.164076745Z" level=info msg="loading plugin "io.containerd.grpc.v1.diff"..." type=io.containerd.grpc.v1
542020-04-29T19:26:54.166450735Z time="2020-04-29T19:26:54.164086154Z" level=info msg="loading plugin "io.containerd.grpc.v1.events"..." type=io.containerd.grpc.v1
552020-04-29T19:26:54.166453862Z time="2020-04-29T19:26:54.164095615Z" level=info msg="loading plugin "io.containerd.grpc.v1.healthcheck"..." type=io.containerd.grpc.v1
562020-04-29T19:26:54.166456996Z time="2020-04-29T19:26:54.164104976Z" level=info msg="loading plugin "io.containerd.grpc.v1.images"..." type=io.containerd.grpc.v1
572020-04-29T19:26:54.166460444Z time="2020-04-29T19:26:54.164113786Z" level=info msg="loading plugin "io.containerd.grpc.v1.leases"..." type=io.containerd.grpc.v1
582020-04-29T19:26:54.166463554Z time="2020-04-29T19:26:54.164123036Z" level=info msg="loading plugin "io.containerd.grpc.v1.namespaces"..." type=io.containerd.grpc.v1
592020-04-29T19:26:54.166466770Z time="2020-04-29T19:26:54.164132257Z" level=info msg="loading plugin "io.containerd.internal.v1.opt"..." type=io.containerd.internal.v1
602020-04-29T19:26:54.166470164Z time="2020-04-29T19:26:54.164395858Z" level=info msg="loading plugin "io.containerd.grpc.v1.snapshots"..." type=io.containerd.grpc.v1
612020-04-29T19:26:54.166473476Z time="2020-04-29T19:26:54.164413395Z" level=info msg="loading plugin "io.containerd.grpc.v1.tasks"..." type=io.containerd.grpc.v1
622020-04-29T19:26:54.166476651Z time="2020-04-29T19:26:54.164426514Z" level=info msg="loading plugin "io.containerd.grpc.v1.version"..." type=io.containerd.grpc.v1
632020-04-29T19:26:54.166480798Z time="2020-04-29T19:26:54.164439072Z" level=info msg="loading plugin "io.containerd.grpc.v1.introspection"..." type=io.containerd.grpc.v1
642020-04-29T19:26:54.166484011Z time="2020-04-29T19:26:54.164639332Z" level=info msg=serving... address="/var/run/docker/containerd/containerd-debug.sock"
652020-04-29T19:26:54.166487164Z time="2020-04-29T19:26:54.164693843Z" level=info msg=serving... address="/var/run/docker/containerd/containerd.sock"
662020-04-29T19:26:54.166490298Z time="2020-04-29T19:26:54.164702647Z" level=info msg="containerd successfully booted in 0.021630s"
672020-04-29T19:26:54.190928870Z time="2020-04-29T19:26:54.188414197Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc0005dd850, READY" module=grpc
682020-04-29T19:26:54.190943464Z time="2020-04-29T19:26:54.190031784Z" level=info msg="Setting the storage driver from the $DOCKER_DRIVER environment variable (overlay2)"
692020-04-29T19:26:54.190954572Z time="2020-04-29T19:26:54.190241204Z" level=info msg="parsed scheme: \"unix\"" module=grpc
702020-04-29T19:26:54.190958334Z time="2020-04-29T19:26:54.190284998Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
712020-04-29T19:26:54.190965486Z time="2020-04-29T19:26:54.190303200Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] }" module=grpc
722020-04-29T19:26:54.190969975Z time="2020-04-29T19:26:54.190315320Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
732020-04-29T19:26:54.190973421Z time="2020-04-29T19:26:54.190376365Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc000689900, CONNECTING" module=grpc
742020-04-29T19:26:54.192080262Z time="2020-04-29T19:26:54.191868404Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc000689900, READY" module=grpc
752020-04-29T19:26:54.195021464Z time="2020-04-29T19:26:54.193737079Z" level=info msg="parsed scheme: \"unix\"" module=grpc
762020-04-29T19:26:54.195035363Z time="2020-04-29T19:26:54.193757233Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
772020-04-29T19:26:54.195039492Z time="2020-04-29T19:26:54.193773755Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] }" module=grpc
782020-04-29T19:26:54.195043590Z time="2020-04-29T19:26:54.193782599Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
792020-04-29T19:26:54.195047038Z time="2020-04-29T19:26:54.193823815Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc000689f10, CONNECTING" module=grpc
802020-04-29T19:26:54.195050340Z time="2020-04-29T19:26:54.194415074Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc000689f10, READY" module=grpc
812020-04-29T19:26:54.267030748Z time="2020-04-29T19:26:54.265435065Z" level=info msg="Loading containers: start."
822020-04-29T19:26:54.294357793Z time="2020-04-29T19:26:54.293409657Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: ip: can't find device 'bridge'\nbridge 167936 1 br_netfilter\nstp 16384 1 bridge\nllc 16384 2 bridge,stp\nip: can't find device 'br_netfilter'\nbr_netfilter 24576 0 \nbridge 167936 1 br_netfilter\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n, error: exit status 1"
832020-04-29T19:26:54.307754562Z time="2020-04-29T19:26:54.306536346Z" level=warning msg="Running modprobe nf_nat failed with message: `ip: can't find device 'nf_nat'\nnf_nat_ipv4 16384 2 ipt_MASQUERADE,iptable_nat\nnf_nat 32768 1 nf_nat_ipv4\nnf_conntrack 139264 5 ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,nf_nat,xt_conntrack\nlibcrc32c 16384 2 nf_nat,nf_conntrack\nmodprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1"
842020-04-29T19:26:54.314837857Z time="2020-04-29T19:26:54.312605683Z" level=warning msg="Running modprobe xt_conntrack failed with message: `ip: can't find device 'xt_conntrack'\nxt_conntrack 16384 2 \nnf_conntrack 139264 5 ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,nf_nat,xt_conntrack\nmodprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1"
852020-04-29T19:26:54.420803168Z time="2020-04-29T19:26:54.409948886Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.18.0.0/16. Daemon option --bip can be used to set a preferred IP address"
862020-04-29T19:26:54.462634566Z time="2020-04-29T19:26:54.460475574Z" level=info msg="Loading containers: done."
872020-04-29T19:26:54.552792800Z time="2020-04-29T19:26:54.552386774Z" level=info msg="Docker daemon" commit=aeac9490dc graphdriver(s)=overlay2 version=19.03.0
882020-04-29T19:26:54.552843398Z time="2020-04-29T19:26:54.552540881Z" level=info msg="Daemon has completed initialization"
892020-04-29T19:26:54.577176961Z time="2020-04-29T19:26:54.576999110Z" level=info msg="API listen on [::]:2375"
902020-04-29T19:26:54.577196947Z time="2020-04-29T19:26:54.577074243Z" level=info msg="API listen on /var/run/docker.sock"
91*********
92Pulling docker image docker:19.03.0 ...
93Using docker image sha256:c4154a2b47a18fe9437956ab981bd5924b19e7ae3eb3ed60c42cf8dfa394d550 for docker:19.03.0 ...
94 Preparing environment 00:01
95Running on runner-0277ea0f-project-74823-concurrent-0 via runner-0277ea0f-srm-1588188352-c9170d12...
96 Getting source from Git repository 00:02
97$ eval "$CI_PRE_CLONE_SCRIPT"
98Fetching changes...
99Initialized empty Git repository in /builds/gitlab-org/gitlab-development-kit/.git/
100Created fresh repository.
101From https://gitlab.com/gitlab-org/gitlab-development-kit
102 * [new ref] refs/pipelines/141199456 -> refs/pipelines/141199456
103 * [new branch] 186-nginx-favicon -> origin/186-nginx-favicon
104 * [new branch] 194156-deprecate-procfile -> origin/194156-deprecate-procfile
105 * [new branch] 194156-deprecate-procfile-pre3 -> origin/194156-deprecate-procfile-pre3
106 * [new branch] 202008-disable-drag-from-epic-tree-dropdown-button -> origin/202008-disable-drag-from-epic-tree-dropdown-button
107 * [new branch] 285-consider-using-gitlab-default-shared-styles-for-rubocop -> origin/285-consider-using-gitlab-default-shared-styles-for-rubocop
108 * [new branch] 285-consider-using-gitlab-default-shared-styles-for-rubocop-2 -> origin/285-consider-using-gitlab-default-shared-styles-for-rubocop-2
109 * [new branch] 285-consider-using-gitlab-default-shared-styles-for-rubocop-3 -> origin/285-consider-using-gitlab-default-shared-styles-for-rubocop-3
110 * [new branch] 285-consider-using-gitlab-default-shared-styles-for-rubocop-4 -> origin/285-consider-using-gitlab-default-shared-styles-for-rubocop-4
111 * [new branch] 368-improve-dev-support -> origin/368-improve-dev-support
112 * [new branch] 425-add-gdk-kill -> origin/425-add-gdk-kill
113 * [new branch] 435-use-rubygems-latest -> origin/435-use-rubygems-latest
114 * [new branch] 606-expand-documentation-on-developing-with-gitlab-pages-gdk -> origin/606-expand-documentation-on-developing-with-gitlab-pages-gdk
115 * [new branch] 606-expand-documentation-on-developing-with-gitlab-pages-gdk-2 -> origin/606-expand-documentation-on-developing-with-gitlab-pages-gdk-2
116 * [new branch] 659-validate-gdk-configuration-values -> origin/659-validate-gdk-configuration-values
117 * [new branch] 745-should-we-git-stash-pop-after-a-gdk-update -> origin/745-should-we-git-stash-pop-after-a-gdk-update
118 * [new branch] 755-build-docker-image-for-branches -> origin/755-build-docker-image-for-branches
119 * [new branch] 763-skip-database-seed-when-geo-is-enabled -> origin/763-skip-database-seed-when-geo-is-enabled
120 * [new branch] 767-postgress-address-config-support -> origin/767-postgress-address-config-support
121 * [new branch] 768-add-support-for-geo-secondary-config-option-and-deprecate-geo-enabled -> origin/768-add-support-for-geo-secondary-config-option-and-deprecate-geo-enabled
122 * [new branch] 769-config-deprecation-support -> origin/769-config-deprecation-support
123 * [new branch] 793-transient-gettext-fails-in-verify-update -> origin/793-transient-gettext-fails-in-verify-update
124 * [new branch] 847-follow-up-from-upgrade-to-git-2-26 -> origin/847-follow-up-from-upgrade-to-git-2-26
125 * [new branch] 861-reseed -> origin/861-reseed
126 * [new branch] 865-run-gdk-doctor-in-ci -> origin/865-run-gdk-doctor-in-ci
127 * [new branch] 875-be-more-helpful-when-a-gdk-update-fails -> origin/875-be-more-helpful-when-a-gdk-update-fails
128 * [new branch] 888-allow-registry-to-be-more-configurable -> origin/888-allow-registry-to-be-more-configurable
129 * [new branch] Add-link-to-auto-dev-ops-video-demo -> origin/Add-link-to-auto-dev-ops-video-demo
130 * [new branch] ac-os-gdk.yml-ssot -> origin/ac-os-gdk.yml-ssot
131 * [new branch] add-explicit-make-command -> origin/add-explicit-make-command
132 * [new branch] add-links-to-okta-asa-client-download -> origin/add-links-to-okta-asa-client-download
133 * [new branch] add-option-to-disable-webpack-dev-server-livereload -> origin/add-option-to-disable-webpack-dev-server-livereload
134 * [new branch] add-rule-for-gitlab-git-http-server -> origin/add-rule-for-gitlab-git-http-server
135 * [new branch] add-support-request-template -> origin/add-support-request-template
136 * [new branch] allison.browne-master-patch-04368 -> origin/allison.browne-master-patch-04368
137 * [new branch] apply-postgres-timeouts -> origin/apply-postgres-timeouts
138 * [new branch] ash.mckenzie/support-custom-sha-or-tags -> origin/ash.mckenzie/support-custom-sha-or-tags
139 * [new branch] ashmckenzie/add-rubocop -> origin/ashmckenzie/add-rubocop
140 * [new branch] ashmckenzie/add-url-and-status-message -> origin/ashmckenzie/add-url-and-status-message
141 * [new branch] ashmckenzie/asdf -> origin/ashmckenzie/asdf
142 * [new branch] ashmckenzie/detect-broken-em -> origin/ashmckenzie/detect-broken-em
143 * [new branch] ashmckenzie/geo-allow-enabling-services -> origin/ashmckenzie/geo-allow-enabling-services
144 * [new branch] ashmckenzie/header-section-for-db-migrations -> origin/ashmckenzie/header-section-for-db-migrations
145 * [new branch] ashmckenzie/install-shellcheck-into-docker-image -> origin/ashmckenzie/install-shellcheck-into-docker-image
146 * [new branch] ashmckenzie/new-semver-class -> origin/ashmckenzie/new-semver-class
147 * [new branch] ashmckenzie/nginx-and-sshd-support -> origin/ashmckenzie/nginx-and-sshd-support
148 * [new branch] ashmckenzie/optional-webpack-server -> origin/ashmckenzie/optional-webpack-server
149 * [new branch] ashmckenzie/support-known-diffs -> origin/ashmckenzie/support-known-diffs
150 * [new branch] ashmckenzie/use-gdk-yml-more -> origin/ashmckenzie/use-gdk-yml-more
151 * [new branch] ashmckenzie/vagrant-change-log-dir -> origin/ashmckenzie/vagrant-change-log-dir
152 * [new branch] auto-generate-svgs -> origin/auto-generate-svgs
153 * [new branch] auto-start-docker-daemon -> origin/auto-start-docker-daemon
154 * [new branch] automation-debug-guide -> origin/automation-debug-guide
155 * [new branch] aws-eks-auth-gdk-docs -> origin/aws-eks-auth-gdk-docs
156 * [new branch] better-minikube -> origin/better-minikube
157 * [new branch] brodock/distributed-tracing-fix -> origin/brodock/distributed-tracing-fix
158 * [new branch] brodock/gdk-framework -> origin/brodock/gdk-framework
159 * [new branch] brodock/gdk-root -> origin/brodock/gdk-root
160 * [new branch] brodock/yard-generation -> origin/brodock/yard-generation
161 * [new branch] bvl-external-auth-service -> origin/bvl-external-auth-service
162 * [new branch] caalberts-test-ci -> origin/caalberts-test-ci
163 * [new branch] cablett-display-version -> origin/cablett-display-version
164 * [new branch] change-bind-interface -> origin/change-bind-interface
165 * [new branch] convert-to-rakefile -> origin/convert-to-rakefile
166 * [new branch] db-docker-compose -> origin/db-docker-compose
167 * [new branch] dev-workhorse -> origin/dev-workhorse
168 * [new branch] dev-workhorse-2 -> origin/dev-workhorse-2
169 * [new branch] doc-add-onboarding-setup-howto -> origin/doc-add-onboarding-setup-howto
170 * [new branch] doc-auto-devops-gitlab-qa -> origin/doc-auto-devops-gitlab-qa
171 * [new branch] docker-compose -> origin/docker-compose
172 * [new branch] ee_support -> origin/ee_support
173 * [new branch] el-capitan-users-and-phantomjs -> origin/el-capitan-users-and-phantomjs
174 * [new branch] escape -> origin/escape
175 * [new branch] feature-display-help-info-when-no-arguments-supplied -> origin/feature-display-help-info-when-no-arguments-supplied
176 * [new branch] feature/sm/add-utility-set-ip -> origin/feature/sm/add-utility-set-ip
177 * [new branch] finish_run_script_ruby -> origin/finish_run_script_ruby
178 * [new branch] fix-bundler-version-check -> origin/fix-bundler-version-check
179 * [new branch] fix-vim-commit-textwidth-in-nested-projects -> origin/fix-vim-commit-textwidth-in-nested-projects
180 * [new branch] gdk-docker-minio -> origin/gdk-docker-minio
181 * [new branch] gdk-ee-support -> origin/gdk-ee-support
182 * [new branch] gitaly-force-bundle-install -> origin/gitaly-force-bundle-install
183 * [new branch] gitlab-review-apps -> origin/gitlab-review-apps
184 * [new branch] gitlab-yml-port -> origin/gitlab-yml-port
185 * [new branch] glensc/gitlab-development-kit-dockerfiler-layers -> origin/glensc/gitlab-development-kit-dockerfiler-layers
186 * [new branch] handbook-ee-license -> origin/handbook-ee-license
187 * [new branch] igor-sentinel -> origin/igor-sentinel
188 * [new branch] improved-prometheus-config -> origin/improved-prometheus-config
189 * [new branch] introduce-gitlab-license-file-env-variable -> origin/introduce-gitlab-license-file-env-variable
190 * [new branch] jaeger-gitlab-shell -> origin/jaeger-gitlab-shell
191 * [new branch] jarv/add-troubleshooting-tip-for-osx -> origin/jarv/add-troubleshooting-tip-for-osx
192 * [new branch] jc-fix-internal-socket -> origin/jc-fix-internal-socket
193 * [new branch] jj-ramirez-master-patch-00030 -> origin/jj-ramirez-master-patch-00030
194 * [new branch] jj-ramirez-master-patch-38669 -> origin/jj-ramirez-master-patch-38669
195 * [new branch] jramsay-fix-missing-webpack-port -> origin/jramsay-fix-missing-webpack-port
196 * [new branch] jramsay/mysql -> origin/jramsay/mysql
197 * [new branch] jv-alt-ha -> origin/jv-alt-ha
198 * [new branch] jv-bundle-install-less-verbose -> origin/jv-bundle-install-less-verbose
199 * [new branch] jv-improve-gdk-tail -> origin/jv-improve-gdk-tail
200 * [new branch] jv-investigate-seed-03-failure -> origin/jv-investigate-seed-03-failure
201 * [new branch] jv-move-gitaly -> origin/jv-move-gitaly
202 * [new branch] jv-move-gitaly-2 -> origin/jv-move-gitaly-2
203 * [new branch] jv-runit-wait-longer -> origin/jv-runit-wait-longer
204 * [new branch] jv-test-gitaly-env -> origin/jv-test-gitaly-env
205 * [new branch] leipert-webpack-single-compile -> origin/leipert-webpack-single-compile
206 * [new branch] make-ascii-tanuki-smaller -> origin/make-ascii-tanuki-smaller
207 * [new branch] master -> origin/master
208 * [new branch] mbobin-master-patch-43857 -> origin/mbobin-master-patch-43857
209 * [new branch] mk/configure-geo-secondary -> origin/mk/configure-geo-secondary
210 * [new branch] mk/improve-secondary-update -> origin/mk/improve-secondary-update
211 * [new branch] multi-runner -> origin/multi-runner
212 * [new branch] nicolasdular/update-readme-unified-codebase -> origin/nicolasdular/update-readme-unified-codebase
213 * [new branch] nmezzopera-container-registry-doc -> origin/nmezzopera-container-registry-doc
214 * [new branch] package-registry-enable-docs -> origin/package-registry-enable-docs
215 * [new branch] patch-1 -> origin/patch-1
216 * [new branch] patch-2 -> origin/patch-2
217 * [new branch] patch-3 -> origin/patch-3
218 * [new branch] patch-4 -> origin/patch-4
219 * [new branch] patch-5 -> origin/patch-5
220 * [new branch] patch-go-version -> origin/patch-go-version
221 * [new branch] pks/bundler-version-check -> origin/pks/bundler-version-check
222 * [new branch] rails5_gdk_command -> origin/rails5_gdk_command
223 * [new branch] rchan-gitlab-master-patch-27628 -> origin/rchan-gitlab-master-patch-27628
224 * [new branch] redis-cluster -> origin/redis-cluster
225 * [new branch] require-go-1.9 -> origin/require-go-1.9
226 * [new branch] runner -> origin/runner
227 * [new branch] runner-setup-use-gdk-yml -> origin/runner-setup-use-gdk-yml
228 * [new branch] sdesk-gdk -> origin/sdesk-gdk
229 * [new branch] separate-runner-sections -> origin/separate-runner-sections
230 * [new branch] sh-add-jaeger-http-port -> origin/sh-add-jaeger-http-port
231 * [new branch] sh-fix-gitlab-ci-logs -> origin/sh-fix-gitlab-ci-logs
232 * [new branch] sidekiq-latency -> origin/sidekiq-latency
233 * [new branch] start-sidekiq-without-pidfile -> origin/start-sidekiq-without-pidfile
234 * [new branch] switcher -> origin/switcher
235 * [new branch] tc-sshd -> origin/tc-sshd
236 * [new branch] test-gitaly-make -> origin/test-gitaly-make
237 * [new branch] test-master -> origin/test-master
238 * [new branch] test-master-tkuah -> origin/test-master-tkuah
239 * [new branch] thin-concurrency -> origin/thin-concurrency
240 * [new branch] toon-409-gitlab-pages-is-not-compiled-with-gdk-update-reconfigure-patch-68654 -> origin/toon-409-gitlab-pages-is-not-compiled-with-gdk-update-reconfigure-patch-68654
241 * [new branch] tw-disable-pause-for-warnings -> origin/tw-disable-pause-for-warnings
242 * [new branch] tw-experimental-tunnel-docs -> origin/tw-experimental-tunnel-docs
243 * [new branch] update-es-instructions -> origin/update-es-instructions
244 * [new branch] update-gdk-saml-howto-config -> origin/update-gdk-saml-howto-config
245 * [new branch] update-golang-to-1-13 -> origin/update-golang-to-1-13
246 * [new branch] update-prometheus-yml -> origin/update-prometheus-yml
247 * [new branch] vagrant-ci -> origin/vagrant-ci
248 * [new branch] vagrant-ci-haynes -> origin/vagrant-ci-haynes
249 * [new branch] webpack-compile-once -> origin/webpack-compile-once
250 * [new branch] webpack-without-npm -> origin/webpack-without-npm
251 * [new branch] weimeng-update-prepare-yarn -> origin/weimeng-update-prepare-yarn
252 * [new branch] win10bash-setupguide -> origin/win10bash-setupguide
253 * [new branch] winh-brew-installation-postgresql-9.6 -> origin/winh-brew-installation-postgresql-9.6
254 * [new branch] winh-gitlab-clone-dir -> origin/winh-gitlab-clone-dir
255 * [new branch] workhorse-stunnel-syntax -> origin/workhorse-stunnel-syntax
256 * [new branch] zj-checkout-mr -> origin/zj-checkout-mr
257 * [new branch] zj-praefect-in-gdk -> origin/zj-praefect-in-gdk
258 * [new tag] v0.1.1 -> v0.1.1
259 * [new tag] v0.2.0 -> v0.2.0
260 * [new tag] v0.2.1 -> v0.2.1
261 * [new tag] v0.2.2 -> v0.2.2
262 * [new tag] v0.2.4 -> v0.2.4
263 * [new tag] v0.2.5 -> v0.2.5
264Checking out b7bb922c as refs/merge-requests/1213/head...
265Skipping Git submodules setup
266 Restoring cache 00:02
267 Downloading artifacts 00:01
268 Running before_script and script 02:11
269$ docker run -d --name db arminc/clair-db:latest
270Unable to find image 'arminc/clair-db:latest' locally
271latest: Pulling from arminc/clair-db
272c9b1b535fdd9: Pulling fs layer
273d1030c456d04: Pulling fs layer
274d1d0211bbd9a: Pulling fs layer
27507d0560c0a3f: Pulling fs layer
276ce7fd4584a5f: Pulling fs layer
27763eb0325fe1c: Pulling fs layer
278b67486507716: Pulling fs layer
279f58de2b85820: Pulling fs layer
280ca982626dd56: Pulling fs layer
2817f15c670decb: Pulling fs layer
28207d0560c0a3f: Waiting
283ce7fd4584a5f: Waiting
28463eb0325fe1c: Waiting
285b67486507716: Waiting
286f58de2b85820: Waiting
287ca982626dd56: Waiting
2887f15c670decb: Waiting
289d1030c456d04: Verifying Checksum
290d1030c456d04: Download complete
291d1d0211bbd9a: Verifying Checksum
292d1d0211bbd9a: Download complete
293c9b1b535fdd9: Verifying Checksum
294c9b1b535fdd9: Download complete
295ce7fd4584a5f: Verifying Checksum
296ce7fd4584a5f: Download complete
29763eb0325fe1c: Verifying Checksum
29863eb0325fe1c: Download complete
299c9b1b535fdd9: Pull complete
300b67486507716: Verifying Checksum
301b67486507716: Download complete
302d1030c456d04: Pull complete
303d1d0211bbd9a: Pull complete
304f58de2b85820: Verifying Checksum
305f58de2b85820: Download complete
306ca982626dd56: Verifying Checksum
307ca982626dd56: Download complete
30807d0560c0a3f: Verifying Checksum
30907d0560c0a3f: Download complete
3107f15c670decb: Verifying Checksum
3117f15c670decb: Download complete
31207d0560c0a3f: Pull complete
313ce7fd4584a5f: Pull complete
31463eb0325fe1c: Pull complete
315b67486507716: Pull complete
316f58de2b85820: Pull complete
317ca982626dd56: Pull complete
3187f15c670decb: Pull complete
319Digest: sha256:99371c45210869b713e9a1a30f75cb75a5daae5f89f6d01912a853e6bc0502a1
320Status: Downloaded newer image for arminc/clair-db:latest
3210d48531a517c85c4f8e8b4d6b790deb350268217528ab411a5ac1ae64d34eeac
322$ docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
323Unable to find image 'arminc/clair-local-scan:v2.0.1' locally
324v2.0.1: Pulling from arminc/clair-local-scan
325c1c1ba809094: Pulling fs layer
326cd8c57a978ea: Pulling fs layer
327db5c04427876: Pulling fs layer
32841067eda4322: Pulling fs layer
32915f094cf842d: Pulling fs layer
330b6787841faf3: Pulling fs layer
331a3ed95caeb02: Pulling fs layer
33221825b83a534: Pulling fs layer
333b80a1286a3db: Pulling fs layer
3345dc055601c8a: Pulling fs layer
33541067eda4322: Waiting
33615f094cf842d: Waiting
337b6787841faf3: Waiting
338a3ed95caeb02: Waiting
33921825b83a534: Waiting
340b80a1286a3db: Waiting
3415dc055601c8a: Waiting
342db5c04427876: Verifying Checksum
343db5c04427876: Download complete
344cd8c57a978ea: Verifying Checksum
345cd8c57a978ea: Download complete
346c1c1ba809094: Verifying Checksum
347c1c1ba809094: Download complete
34815f094cf842d: Verifying Checksum
34915f094cf842d: Download complete
350c1c1ba809094: Pull complete
351b6787841faf3: Verifying Checksum
352b6787841faf3: Download complete
353a3ed95caeb02: Verifying Checksum
354a3ed95caeb02: Download complete
355cd8c57a978ea: Pull complete
356db5c04427876: Pull complete
35721825b83a534: Verifying Checksum
35821825b83a534: Download complete
35941067eda4322: Verifying Checksum
36041067eda4322: Download complete
3615dc055601c8a: Verifying Checksum
3625dc055601c8a: Download complete
363b80a1286a3db: Verifying Checksum
364b80a1286a3db: Download complete
36541067eda4322: Pull complete
36615f094cf842d: Pull complete
367b6787841faf3: Pull complete
368a3ed95caeb02: Pull complete
36921825b83a534: Pull complete
370b80a1286a3db: Pull complete
3715dc055601c8a: Pull complete
372Digest: sha256:f03669402303b56f2bc2cc0e432b0caa56cdba8cd79c0da9687e5db87a047bdc
373Status: Downloaded newer image for arminc/clair-local-scan:v2.0.1
374c9f31f03e7e991c712ba4e8507c95ef6a182f6ec09a58e9b714a154e344f1179
375$ apk add -U wget ca-certificates
376fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
377fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
378(1/1) Installing wget (1.20.3-r0)
379Executing busybox-1.30.1-r2.trigger
380OK: 7 MiB in 16 packages
381$ docker pull ${TEST_IMAGE}
382latest: Pulling from gitlab-org/gitlab-development-kit
3835bed26d33875: Pulling fs layer
384f11b29a9c730: Pulling fs layer
385930bda195c84: Pulling fs layer
38678bf9a5ad49e: Pulling fs layer
38731dc7538b582: Pulling fs layer
388921f9042118e: Pulling fs layer
389e8150014c6b5: Pulling fs layer
39032ebfbe5dbd1: Pulling fs layer
3914fbed2510a9f: Pulling fs layer
39284e4876d6aa4: Pulling fs layer
393e123835fbdb3: Pulling fs layer
394e0b5da0000a6: Pulling fs layer
395e2024e8fd5a6: Pulling fs layer
39678bf9a5ad49e: Waiting
39731dc7538b582: Waiting
398921f9042118e: Waiting
399e8150014c6b5: Waiting
40032ebfbe5dbd1: Waiting
4014fbed2510a9f: Waiting
40284e4876d6aa4: Waiting
403e123835fbdb3: Waiting
404e0b5da0000a6: Waiting
405e2024e8fd5a6: Waiting
406f11b29a9c730: Verifying Checksum
407f11b29a9c730: Download complete
40878bf9a5ad49e: Verifying Checksum
40978bf9a5ad49e: Download complete
410930bda195c84: Verifying Checksum
411930bda195c84: Download complete
412921f9042118e: Verifying Checksum
413921f9042118e: Download complete
41431dc7538b582: Verifying Checksum
41531dc7538b582: Download complete
4165bed26d33875: Verifying Checksum
4175bed26d33875: Download complete
41832ebfbe5dbd1: Verifying Checksum
41932ebfbe5dbd1: Download complete
42084e4876d6aa4: Verifying Checksum
42184e4876d6aa4: Download complete
422e123835fbdb3: Verifying Checksum
423e123835fbdb3: Download complete
4244fbed2510a9f: Verifying Checksum
4254fbed2510a9f: Download complete
426e2024e8fd5a6: Verifying Checksum
427e2024e8fd5a6: Download complete
428e0b5da0000a6: Verifying Checksum
429e0b5da0000a6: Download complete
430e8150014c6b5: Verifying Checksum
431e8150014c6b5: Download complete
4325bed26d33875: Pull complete
433f11b29a9c730: Pull complete
434930bda195c84: Pull complete
43578bf9a5ad49e: Pull complete
43631dc7538b582: Pull complete
437921f9042118e: Pull complete
438e8150014c6b5: Pull complete
43932ebfbe5dbd1: Pull complete
4404fbed2510a9f: Pull complete
44184e4876d6aa4: Pull complete
442e123835fbdb3: Pull complete
443e0b5da0000a6: Pull complete
444e2024e8fd5a6: Pull complete
445Digest: sha256:46955d6893d6fd9ea6d13187b1fa247b4e85cbc9c247beee5fcc6c04763b113f
446Status: Downloaded newer image for registry.gitlab.com/gitlab-org/gitlab-development-kit:latest
447registry.gitlab.com/gitlab-org/gitlab-development-kit:latest
448$ wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
449--2020-04-29 19:28:47-- https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
450Resolving github.com... 140.82.113.4
451Connecting to github.com|140.82.113.4|:443... connected.
452HTTP request sent, awaiting response... 302 Found
453Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/86972405/4061695e-f44f-11e7-97fe-da8073f4908c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200429%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200429T192649Z&X-Amz-Expires=300&X-Amz-Signature=34ae5d5fab55683bcc47e75d58446091f94e96179ae6c2b6868f560b60c886d7&X-Amz-SignedHeaders=host&actor_id=0&repo_id=86972405&response-content-disposition=attachment%3B%20filename%3Dclair-scanner_linux_amd64&response-content-type=application%2Foctet-stream [following]
454--2020-04-29 19:28:47-- https://github-production-release-asset-2e65be.s3.amazonaws.com/86972405/4061695e-f44f-11e7-97fe-da8073f4908c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200429%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200429T192649Z&X-Amz-Expires=300&X-Amz-Signature=34ae5d5fab55683bcc47e75d58446091f94e96179ae6c2b6868f560b60c886d7&X-Amz-SignedHeaders=host&actor_id=0&repo_id=86972405&response-content-disposition=attachment%3B%20filename%3Dclair-scanner_linux_amd64&response-content-type=application%2Foctet-stream
455Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 52.216.161.75
456Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|52.216.161.75|:443... connected.
457HTTP request sent, awaiting response... 200 OK
458Length: 9862522 (9.4M) [application/octet-stream]
459Saving to: 'clair-scanner_linux_amd64'
460 0K .......... .......... .......... .......... .......... 0% 3.42M 3s
461 50K .......... .......... .......... .......... .......... 1% 3.36M 3s
462 100K .......... .......... .......... .......... .......... 1% 5.10M 2s
463 150K .......... .......... .......... .......... .......... 2% 29.5M 2s
464 200K .......... .......... .......... .......... .......... 2% 225M 2s
465 250K .......... .......... .......... .......... .......... 3% 4.30M 2s
466 300K .......... .......... .......... .......... .......... 3% 45.4M 1s
467 350K .......... .......... .......... .......... .......... 4% 4.41M 1s
468 400K .......... .......... .......... .......... .......... 4% 177M 1s
469 450K .......... .......... .......... .......... .......... 5% 299M 1s
470 500K .......... .......... .......... .......... .......... 5% 60.4M 1s
471 550K .......... .......... .......... .......... .......... 6% 44.1M 1s
472 600K .......... .......... .......... .......... .......... 6% 249M 1s
473 650K .......... .......... .......... .......... .......... 7% 276M 1s
474 700K .......... .......... .......... .......... .......... 7% 4.87M 1s
475 750K .......... .......... .......... .......... .......... 8% 29.6M 1s
476 800K .......... .......... .......... .......... .......... 8% 241M 1s
477 850K .......... .......... .......... .......... .......... 9% 289M 1s
478 900K .......... .......... .......... .......... .......... 9% 251M 1s
479 950K .......... .......... .......... .......... .......... 10% 195M 1s
480 1000K .......... .......... .......... .......... .......... 10% 235M 1s
481 1050K .......... .......... .......... .......... .......... 11% 118M 1s
482 1100K .......... .......... .......... .......... .......... 11% 231M 1s
483 1150K .......... .......... .......... .......... .......... 12% 238M 1s
484 1200K .......... .......... .......... .......... .......... 12% 278M 1s
485 1250K .......... .......... .......... .......... .......... 13% 282M 1s
486 1300K .......... .......... .......... .......... .......... 14% 317M 0s
487 1350K .......... .......... .......... .......... .......... 14% 279M 0s
488 1400K .......... .......... .......... .......... .......... 15% 119M 0s
489 1450K .......... .......... .......... .......... .......... 15% 5.49M 0s
490 1500K .......... .......... .......... .......... .......... 16% 246M 0s
491 1550K .......... .......... .......... .......... .......... 16% 246M 0s
492 1600K .......... .......... .......... .......... .......... 17% 325M 0s
493 1650K .......... .......... .......... .......... .......... 17% 355M 0s
494 1700K .......... .......... .......... .......... .......... 18% 52.6M 0s
495 1750K .......... .......... .......... .......... .......... 18% 39.0M 0s
496 1800K .......... .......... .......... .......... .......... 19% 156M 0s
497 1850K .......... .......... .......... .......... .......... 19% 232M 0s
498 1900K .......... .......... .......... .......... .......... 20% 247M 0s
499 1950K .......... .......... .......... .......... .......... 20% 251M 0s
500 2000K .......... .......... .......... .......... .......... 21% 269M 0s
501 2050K .......... .......... .......... .......... .......... 21% 290M 0s
502 2100K .......... .......... .......... .......... .......... 22% 231M 0s
503 2150K .......... .......... .......... .......... .......... 22% 264M 0s
504 2200K .......... .......... .......... .......... .......... 23% 273M 0s
505 2250K .......... .......... .......... .......... .......... 23% 251M 0s
506 2300K .......... .......... .......... .......... .......... 24% 229M 0s
507 2350K .......... .......... .......... .......... .......... 24% 297M 0s
508 2400K .......... .......... .......... .......... .......... 25% 345M 0s
509 2450K .......... .......... .......... .......... .......... 25% 346M 0s
510 2500K .......... .......... .......... .......... .......... 26% 309M 0s
511 2550K .......... .......... .......... .......... .......... 26% 325M 0s
512 2600K .......... .......... .......... .......... .......... 27% 4.75M 0s
513 2650K .......... .......... .......... .......... .......... 28% 17.6M 0s
514 2700K .......... .......... .......... .......... .......... 28% 206M 0s
515 2750K .......... .......... .......... .......... .......... 29% 302M 0s
516 2800K .......... .......... .......... .......... .......... 29% 297M 0s
517 2850K .......... .......... .......... .......... .......... 30% 252M 0s
518 2900K .......... .......... .......... .......... .......... 30% 230M 0s
519 2950K .......... .......... .......... .......... .......... 31% 301M 0s
520 3000K .......... .......... .......... .......... .......... 31% 294M 0s
521 3050K .......... .......... .......... .......... .......... 32% 296M 0s
522 3100K .......... .......... .......... .......... .......... 32% 221M 0s
523 3150K .......... .......... .......... .......... .......... 33% 344M 0s
524 3200K .......... .......... .......... .......... .......... 33% 263M 0s
525 3250K .......... .......... .......... .......... .......... 34% 277M 0s
526 3300K .......... .......... .......... .......... .......... 34% 272M 0s
527 3350K .......... .......... .......... .......... .......... 35% 146M 0s
528 3400K .......... .......... .......... .......... .......... 35% 326M 0s
529 3450K .......... .......... .......... .......... .......... 36% 19.5M 0s
530 3500K .......... .......... .......... .......... .......... 36% 34.2M 0s
531 3550K .......... .......... .......... .......... .......... 37% 232M 0s
532 3600K .......... .......... .......... .......... .......... 37% 272M 0s
533 3650K .......... .......... .......... .......... .......... 38% 318M 0s
534 3700K .......... .......... .......... .......... .......... 38% 32.1M 0s
535 3750K .......... .......... .......... .......... .......... 39% 229M 0s
536 3800K .......... .......... .......... .......... .......... 39% 301M 0s
537 3850K .......... .......... .......... .......... .......... 40% 303M 0s
538 3900K .......... .......... .......... .......... .......... 41% 250M 0s
539 3950K .......... .......... .......... .......... .......... 41% 310M 0s
540 4000K .......... .......... .......... .......... .......... 42% 249M 0s
541 4050K .......... .......... .......... .......... .......... 42% 285M 0s
542 4100K .......... .......... .......... .......... .......... 43% 242M 0s
543 4150K .......... .......... .......... .......... .......... 43% 323M 0s
544 4200K .......... .......... .......... .......... .......... 44% 277M 0s
545 4250K .......... .......... .......... .......... .......... 44% 328M 0s
546 4300K .......... .......... .......... .......... .......... 45% 197M 0s
547 4350K .......... .......... .......... .......... .......... 45% 285M 0s
548 4400K .......... .......... .......... .......... .......... 46% 282M 0s
549 4450K .......... .......... .......... .......... .......... 46% 279M 0s
550 4500K .......... .......... .......... .......... .......... 47% 281M 0s
551 4550K .......... .......... .......... .......... .......... 47% 270M 0s
552 4600K .......... .......... .......... .......... .......... 48% 13.5M 0s
553 4650K .......... .......... .......... .......... .......... 48% 227M 0s
554 4700K .......... .......... .......... .......... .......... 49% 257M 0s
555 4750K .......... .......... .......... .......... .......... 49% 243M 0s
556 4800K .......... .......... .......... .......... .......... 50% 288M 0s
557 4850K .......... .......... .......... .......... .......... 50% 284M 0s
558 4900K .......... .......... .......... .......... .......... 51% 249M 0s
559 4950K .......... .......... .......... .......... .......... 51% 317M 0s
560 5000K .......... .......... .......... .......... .......... 52% 237M 0s
561 5050K .......... .......... .......... .......... .......... 52% 312M 0s
562 5100K .......... .......... .......... .......... .......... 53% 275M 0s
563 5150K .......... .......... .......... .......... .......... 53% 281M 0s
564 5200K .......... .......... .......... .......... .......... 54% 17.1M 0s
565 5250K .......... .......... .......... .......... .......... 55% 60.1M 0s
566 5300K .......... .......... .......... .......... .......... 55% 300M 0s
567 5350K .......... .......... .......... .......... .......... 56% 266M 0s
568 5400K .......... .......... .......... .......... .......... 56% 272M 0s
569 5450K .......... .......... .......... .......... .......... 57% 282M 0s
570 5500K .......... .......... .......... .......... .......... 57% 220M 0s
571 5550K .......... .......... .......... .......... .......... 58% 297M 0s
572 5600K .......... .......... .......... .......... .......... 58% 260M 0s
573 5650K .......... .......... .......... .......... .......... 59% 256M 0s
574 5700K .......... .......... .......... .......... .......... 59% 246M 0s
575 5750K .......... .......... .......... .......... .......... 60% 265M 0s
576 5800K .......... .......... .......... .......... .......... 60% 300M 0s
577 5850K .......... .......... .......... .......... .......... 61% 312M 0s
578 5900K .......... .......... .......... .......... .......... 61% 241M 0s
579 5950K .......... .......... .......... .......... .......... 62% 271M 0s
580 6000K .......... .......... .......... .......... .......... 62% 266M 0s
581 6050K .......... .......... .......... .......... .......... 63% 13.3M 0s
582 6100K .......... .......... .......... .......... .......... 63% 107M 0s
583 6150K .......... .......... .......... .......... .......... 64% 293M 0s
584 6200K .......... .......... .......... .......... .......... 64% 295M 0s
585 6250K .......... .......... .......... .......... .......... 65% 312M 0s
586 6300K .......... .......... .......... .......... .......... 65% 262M 0s
587 6350K .......... .......... .......... .......... .......... 66% 298M 0s
588 6400K .......... .......... .......... .......... .......... 66% 289M 0s
589 6450K .......... .......... .......... .......... .......... 67% 293M 0s
590 6500K .......... .......... .......... .......... .......... 68% 279M 0s
591 6550K .......... .......... .......... .......... .......... 68% 321M 0s
592 6600K .......... .......... .......... .......... .......... 69% 318M 0s
593 6650K .......... .......... .......... .......... .......... 69% 308M 0s
594 6700K .......... .......... .......... .......... .......... 70% 238M 0s
595 6750K .......... .......... .......... .......... .......... 70% 315M 0s
596 6800K .......... .......... .......... .......... .......... 71% 306M 0s
597 6850K .......... .......... .......... .......... .......... 71% 345M 0s
598 6900K .......... .......... .......... .......... .......... 72% 286M 0s
599 6950K .......... .......... .......... .......... .......... 72% 323M 0s
600 7000K .......... .......... .......... .......... .......... 73% 24.6M 0s
601 7050K .......... .......... .......... .......... .......... 73% 24.3M 0s
602 7100K .......... .......... .......... .......... .......... 74% 129M 0s
603 7150K .......... .......... .......... .......... .......... 74% 339M 0s
604 7200K .......... .......... .......... .......... .......... 75% 289M 0s
605 7250K .......... .......... .......... .......... .......... 75% 308M 0s
606 7300K .......... .......... .......... .......... .......... 76% 280M 0s
607 7350K .......... .......... .......... .......... .......... 76% 276M 0s
608 7400K .......... .......... .......... .......... .......... 77% 296M 0s
609 7450K .......... .......... .......... .......... .......... 77% 279M 0s
610 7500K .......... .......... .......... .......... .......... 78% 292M 0s
611 7550K .......... .......... .......... .......... .......... 78% 284M 0s
612 7600K .......... .......... .......... .......... .......... 79% 345M 0s
613 7650K .......... .......... .......... .......... .......... 79% 260M 0s
614 7700K .......... .......... .......... .......... .......... 80% 294M 0s
615 7750K .......... .......... .......... .......... .......... 80% 350M 0s
616 7800K .......... .......... .......... .......... .......... 81% 348M 0s
617 7850K .......... .......... .......... .......... .......... 82% 351M 0s
618 7900K .......... .......... .......... .......... .......... 82% 293M 0s
619 7950K .......... .......... .......... .......... .......... 83% 315M 0s
620 8000K .......... .......... .......... .......... .......... 83% 14.4M 0s
621 8050K .......... .......... .......... .......... .......... 84% 102M 0s
622 8100K .......... .......... .......... .......... .......... 84% 133M 0s
623 8150K .......... .......... .......... .......... .......... 85% 342M 0s
624 8200K .......... .......... .......... .......... .......... 85% 354M 0s
625 8250K .......... .......... .......... .......... .......... 86% 323M 0s
626 8300K .......... .......... .......... .......... .......... 86% 295M 0s
627 8350K .......... .......... .......... .......... .......... 87% 329M 0s
628 8400K .......... .......... .......... .......... .......... 87% 314M 0s
629 8450K .......... .......... .......... .......... .......... 88% 350M 0s
630 8500K .......... .......... .......... .......... .......... 88% 294M 0s
631 8550K .......... .......... .......... .......... .......... 89% 352M 0s
632 8600K .......... .......... .......... .......... .......... 89% 348M 0s
633 8650K .......... .......... .......... .......... .......... 90% 353M 0s
634 8700K .......... .......... .......... .......... .......... 90% 240M 0s
635 8750K .......... .......... .......... .......... .......... 91% 331M 0s
636 8800K .......... .......... .......... .......... .......... 91% 325M 0s
637 8850K .......... .......... .......... .......... .......... 92% 345M 0s
638 8900K .......... .......... .......... .......... .......... 92% 309M 0s
639 8950K .......... .......... .......... .......... .......... 93% 353M 0s
640 9000K .......... .......... .......... .......... .......... 93% 321M 0s
641 9050K .......... .......... .......... .......... .......... 94% 18.9M 0s
642 9100K .......... .......... .......... .......... .......... 95% 37.0M 0s
643 9150K .......... .......... .......... .......... .......... 95% 105M 0s
644 9200K .......... .......... .......... .......... .......... 96% 99.5M 0s
645 9250K .......... .......... .......... .......... .......... 96% 296M 0s
646 9300K .......... .......... .......... .......... .......... 97% 282M 0s
647 9350K .......... .......... .......... .......... .......... 97% 355M 0s
648 9400K .......... .......... .......... .......... .......... 98% 359M 0s
649 9450K .......... .......... .......... .......... .......... 98% 345M 0s
650 9500K .......... .......... .......... .......... .......... 99% 286M 0s
651 9550K .......... .......... .......... .......... .......... 99% 353M 0s
652 9600K .......... .......... .......... . 100% 273M=0.2s
6532020-04-29 19:28:48 (58.8 MB/s) - 'clair-scanner_linux_amd64' saved [9862522/9862522]
654$ mv clair-scanner_linux_amd64 clair-scanner
655$ chmod +x clair-scanner
656$ touch clair-whitelist.yml
657$ retries=0
658$ echo "Waiting for clair daemon to start"
659Waiting for clair daemon to start
660$ while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
661$ ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${TEST_IMAGE} || true
6622020/04/29 19:28:48 [INFO] ▶ Start clair-scanner
6632020/04/29 19:29:29 [INFO] ▶ Server listening on port 9279
6642020/04/29 19:29:29 [INFO] ▶ Analyzing c04ff1820d1857aed15ab3884e18b63bcffcee7e1d3f20575dc05c251b8fe9e3
6652020/04/29 19:29:33 [INFO] ▶ Analyzing e21c93ee46e050c5be8f77e1048d1f9b6679941570972c6ffdd0f71aa38ddb25
6662020/04/29 19:29:33 [INFO] ▶ Analyzing 85a81177d4281af6c8dc7e4cfcc8aa33f9c031991eaf2e349628e3b462c9fb82
6672020/04/29 19:29:33 [INFO] ▶ Analyzing c1b9fef39412d08501ffd64acc490dd8cb50616dd4eb640dfc3e3995ee4f4f80
6682020/04/29 19:29:33 [INFO] ▶ Analyzing 6ff656bed4ef7b5814a3a0150beba358f60f605746d879598673795e82258b6a
6692020/04/29 19:29:33 [INFO] ▶ Analyzing b00fa4582f48201493b02d6d8dc359c6dd4849d73d44870b55495ea73f8f055c
6702020/04/29 19:29:33 [INFO] ▶ Analyzing 3d4262b1be21453197175847f3567173b1a777883e49b15f28b1d5f2aeec5ae5
6712020/04/29 19:29:35 [INFO] ▶ Analyzing fc2ac42e2d9a19ddb29a49cff2c477574c705813667b3850b02f41b297019b47
6722020/04/29 19:29:35 [INFO] ▶ Analyzing 3ca055a348ad145a80bd951601f983d9f8c15263beef5285f5102f9baa854757
6732020/04/29 19:29:42 [INFO] ▶ Analyzing dbe2731f6727932e0b91f50f0e747d8340e894ee9d89961f82d650f8a3aed20b
6742020/04/29 19:29:43 [INFO] ▶ Analyzing 9d5ec30801de4b198c88befe84ec4abf1e9a32f7092e002c4c2d00fcc398251c
6752020/04/29 19:29:44 [INFO] ▶ Analyzing 00de954fb63f28ffd9eaaa189b9ba1a3d41bbecabecd910bcf19cef75479509e
6762020/04/29 19:29:45 [INFO] ▶ Analyzing 31144ac48d1da845d7b8e101443df83c923a507f57b77af550eca730424e0a8f
6772020/04/29 19:29:45 [WARN] ▶ Image [registry.gitlab.com/gitlab-org/gitlab-development-kit:latest] contains 123 total vulnerabilities
6782020/04/29 19:29:45 [ERRO] ▶ Image [registry.gitlab.com/gitlab-org/gitlab-development-kit:latest] contains 123 unapproved vulnerabilities
679+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
680| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
681+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
682| Unapproved | Medium CVE-2019-17451 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
683| | | | | (BFD) library (aka libbfd), as distributed in |
684| | | | | GNU Binutils 2.32. It is an integer overflow |
685| | | | | leading to a SEGV in _bfd_dwarf2_find_nearest_line |
686| | | | | in dwarf2.c, as demonstrated by nm. |
687| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-17451 |
688+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
689| Unapproved | Medium CVE-2019-19126 | glibc | 2.27-3ubuntu1 | On the x86-64 architecture, the GNU C Library (aka glibc) |
690| | | | | before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC |
691| | | | | environment variable during program execution after |
692| | | | | a security transition, allowing local attackers to |
693| | | | | restrict the possible mapping addresses for loaded |
694| | | | | libraries and thus bypass ASLR for a setuid program. |
695| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19126 |
696+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
697| Unapproved | Medium CVE-2018-11237 | glibc | 2.27-3ubuntu1 | An AVX-512-optimized implementation of the mempcpy |
698| | | | | function in the GNU C Library (aka glibc or libc6) 2.27 and |
699| | | | | earlier may write data beyond the target buffer, leading |
700| | | | | to a buffer overflow in __mempcpy_avx512_no_vzeroupper. |
701| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11237 |
702+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
703| Unapproved | Medium CVE-2018-20217 | krb5 | 1.16-2ubuntu0.1 | A Reachable Assertion issue was discovered in the KDC |
704| | | | | in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker |
705| | | | | can obtain a krbtgt ticket using an older encryption |
706| | | | | type (single-DES, triple-DES, or RC4), the attacker |
707| | | | | can crash the KDC by making an S4U2Self request. |
708| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20217 |
709+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
710| Unapproved | Medium CVE-2016-9085 | libwebp | 0.6.1-2 | Multiple integer overflows in libwebp allows attackers |
711| | | | | to have unspecified impact via unknown vectors. |
712| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9085 |
713+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
714| Unapproved | Medium CVE-2018-11236 | glibc | 2.27-3ubuntu1 | stdlib/canonicalize.c in the GNU C Library (aka glibc |
715| | | | | or libc6) 2.27 and earlier, when processing very |
716| | | | | long pathname arguments to the realpath function, |
717| | | | | could encounter an integer overflow on 32-bit |
718| | | | | architectures, leading to a stack-based buffer |
719| | | | | overflow and, potentially, arbitrary code execution. |
720| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11236 |
721+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
722| Unapproved | Medium CVE-2018-20839 | systemd | 237-3ubuntu10.39 | systemd 242 changes the VT1 mode upon a logout, which |
723| | | | | allows attackers to read cleartext passwords in certain |
724| | | | | circumstances, such as watching a shutdown, or using |
725| | | | | Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the |
726| | | | | KDGKBMODE (aka current keyboard mode) check is mishandled. |
727| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20839 |
728+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
729| Unapproved | Medium CVE-2019-19950 | graphicsmagick | 1.3.28-2ubuntu0.1 | In GraphicsMagick 1.4 snapshot-20190403 Q8, |
730| | | | | there is a use-after-free in ThrowException |
731| | | | | and ThrowLoggedException of magick/error.c. |
732| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19950 |
733+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
734| Unapproved | Medium CVE-2020-3898 | cups | 2.2.7-1ubuntu2.7 | A heap-based buffer overflow was discovered in in |
735| | | | | libcups's ppdFindOption() function in ppd-mark.c:430. |
736| | | | | The issue can be reproduced by loading a crafted ppd file |
737| | | | | and calling the ppdMarkDefaults() libcups API function. |
738| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-3898 |
739+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
740| Unapproved | Medium CVE-2019-12921 | graphicsmagick | 1.3.28-2ubuntu0.1 | In GraphicsMagick before 1.3.32, the text filename |
741| | | | | component allows remote attackers to read arbitrary files |
742| | | | | via a crafted image because of TranslateTextEx for SVG. |
743| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12921 |
744+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
745| Unapproved | Medium CVE-2018-19591 | glibc | 2.27-3ubuntu1 | In the GNU C Library (aka glibc or libc6) through 2.28, |
746| | | | | attempting to resolve a crafted hostname via getaddrinfo() |
747| | | | | leads to the allocation of a socket descriptor that is not |
748| | | | | closed. This is related to the if_nametoindex() function. |
749| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-19591 |
750+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
751| Unapproved | Medium CVE-2019-9513 | nghttp2 | 1.30.0-1ubuntu1 | Some HTTP/2 implementations are vulnerable to |
752| | | | | resource loops, potentially leading to a denial |
753| | | | | of service. The attacker creates multiple request |
754| | | | | streams and continually shuffles the priority of |
755| | | | | the streams in a way that causes substantial churn |
756| | | | | to the priority tree. This can consume excess CPU. |
757| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9513 |
758+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
759| Unapproved | Medium CVE-2019-9511 | nghttp2 | 1.30.0-1ubuntu1 | Some HTTP/2 implementations are vulnerable to window |
760| | | | | size manipulation and stream prioritization manipulation, |
761| | | | | potentially leading to a denial of service. The attacker |
762| | | | | requests a large amount of data from a specified resource |
763| | | | | over multiple streams. They manipulate window size and |
764| | | | | stream priority to force the server to queue the data in |
765| | | | | 1-byte chunks. Depending on how efficiently this data is |
766| | | | | queued, this can consume excess CPU, memory, or both. |
767| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9511 |
768+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
769| Unapproved | Medium CVE-2019-19953 | graphicsmagick | 1.3.28-2ubuntu0.1 | In GraphicsMagick 1.4 snapshot-20191208 Q8, |
770| | | | | there is a heap-based buffer over-read in |
771| | | | | the function EncodeImage of coders/pict.c. |
772| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19953 |
773+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
774| Unapproved | Medium CVE-2019-19951 | graphicsmagick | 1.3.28-2ubuntu0.1 | In GraphicsMagick 1.4 snapshot-20190423 Q8, |
775| | | | | there is a heap-based buffer overflow in the |
776| | | | | function ImportRLEPixels of coders/miff.c. |
777| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19951 |
778+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
779| Unapproved | Medium CVE-2019-14444 | binutils | 2.30-21ubuntu1~18.04.2 | apply_relocations in readelf.c in GNU Binutils 2.32 contains |
780| | | | | an integer overflow that allows attackers to trigger a |
781| | | | | write access violation (in byte_put_little_endian function |
782| | | | | in elfcomm.c) via an ELF file, as demonstrated by readelf. |
783| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14444 |
784+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
785| Unapproved | Medium CVE-2016-1585 | apparmor | 2.12-4ubuntu5.1 | In all versions of AppArmor mount rules |
786| | | | | are accidentally widened when compiled. |
787| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585 |
788+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
789| Unapproved | Medium CVE-2019-14250 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in GNU libiberty, as distributed |
790| | | | | in GNU Binutils 2.32. simple_object_elf_match |
791| | | | | in simple-object-elf.c does not check for a zero |
792| | | | | shstrndx value, leading to an integer overflow |
793| | | | | and resultant heap-based buffer overflow. |
794| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14250 |
795+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
796| Unapproved | Low CVE-2019-17543 | lz4 | 0.0~r131-2ubuntu3 | LZ4 before 1.9.2 has a heap-based buffer overflow |
797| | | | | in LZ4_write32 (related to LZ4_compress_destSize), |
798| | | | | affecting applications that call LZ4_compress_fast |
799| | | | | with a large input. (This issue can also lead to |
800| | | | | data corruption.) NOTE: the vendor states "only a few |
801| | | | | specific / uncommon usages of the API are at risk." |
802| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-17543 |
803+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
804| Unapproved | Low CVE-2018-1000876 | binutils | 2.30-21ubuntu1~18.04.2 | binutils version 2.32 and earlier contains |
805| | | | | a Integer Overflow vulnerability in objdump, |
806| | | | | bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc |
807| | | | | that can result in Integer overflow trigger heap overflow. |
808| | | | | Successful exploitation allows execution of arbitrary |
809| | | | | code.. This attack appear to be exploitable via Local. |
810| | | | | This vulnerability appears to have been fixed in after |
811| | | | | commit 3a551c7a1b80fca579461774860574eabfd7f18f. |
812| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000876 |
813+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
814| Unapproved | Low CVE-2018-18700 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in cp-demangle.c in GNU libiberty, as |
815| | | | | distributed in GNU Binutils 2.31. There is a stack consumption |
816| | | | | vulnerability resulting from infinite recursion in the functions |
817| | | | | d_name(), d_encoding(), and d_local_name() in cp-demangle.c. |
818| | | | | Remote attackers could leverage this vulnerability to cause |
819| | | | | a denial-of-service via an ELF file, as demonstrated by nm. |
820| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18700 |
821+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
822| Unapproved | Low CVE-2018-19932 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
823| | | | | (BFD) library (aka libbfd), as distributed in GNU Binutils |
824| | | | | through 2.31. There is an integer overflow and infinite |
825| | | | | loop caused by the IS_CONTAINED_BY_LMA macro in elf.c. |
826| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-19932 |
827+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
828| Unapproved | Low CVE-2018-18701 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in cp-demangle.c in GNU libiberty, as |
829| | | | | distributed in GNU Binutils 2.31. There is a stack consumption |
830| | | | | vulnerability resulting from infinite recursion in the functions |
831| | | | | next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. |
832| | | | | Remote attackers could leverage this vulnerability to cause |
833| | | | | a denial-of-service via an ELF file, as demonstrated by nm. |
834| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18701 |
835+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
836| Unapproved | Low CVE-2018-18607 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in elf_link_input_bfd in |
837| | | | | elflink.c in the Binary File Descriptor (BFD) library |
838| | | | | (aka libbfd), as distributed in GNU Binutils 2.31. There |
839| | | | | is a NULL pointer dereference in elf_link_input_bfd |
840| | | | | when used for finding STT_TLS symbols without any TLS |
841| | | | | section. A specially crafted ELF allows remote attackers |
842| | | | | to cause a denial of service, as demonstrated by ld. |
843| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18607 |
844+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
845| Unapproved | Low CVE-2018-20671 | binutils | 2.30-21ubuntu1~18.04.2 | load_specific_debug_section in objdump.c in GNU Binutils through |
846| | | | | 2.31.1 contains an integer overflow vulnerability that can |
847| | | | | trigger a heap-based buffer overflow via a crafted section size. |
848| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20671 |
849+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
850| Unapproved | Low CVE-2018-19931 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
851| | | | | (BFD) library (aka libbfd), as distributed in GNU |
852| | | | | Binutils through 2.31. There is a heap-based buffer |
853| | | | | overflow in bfd_elf32_swap_phdr_in in elfcode.h because |
854| | | | | the number of program headers is not restricted. |
855| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-19931 |
856+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
857| Unapproved | Low CVE-2018-18484 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in cp-demangle.c in GNU libiberty, as |
858| | | | | distributed in GNU Binutils 2.31. Stack Exhaustion occurs in |
859| | | | | the C++ demangling functions provided by libiberty, and there |
860| | | | | is a stack consumption problem caused by recursive stack frames: |
861| | | | | cplus_demangle_type, d_bare_function_type, d_function_type. |
862| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18484 |
863+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
864| Unapproved | Low CVE-2019-17450 | binutils | 2.30-21ubuntu1~18.04.2 | find_abstract_instance in dwarf2.c in the Binary File Descriptor |
865| | | | | (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, |
866| | | | | allows remote attackers to cause a denial of service (infinite |
867| | | | | recursion and application crash) via a crafted ELF file. |
868| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-17450 |
869+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
870| Unapproved | Low CVE-2018-12700 | binutils | 2.30-21ubuntu1~18.04.2 | A Stack Exhaustion issue was discovered in |
871| | | | | debug_write_type in debug.c in GNU Binutils 2.30 |
872| | | | | because of DEBUG_KIND_INDIRECT infinite recursion. |
873| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-12700 |
874+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
875| Unapproved | Low CVE-2018-20623 | binutils | 2.30-21ubuntu1~18.04.2 | In GNU Binutils 2.31.1, there is a use-after-free in |
876| | | | | the error function in elfcomm.c when called from the |
877| | | | | process_archive function in readelf.c via a crafted ELF file. |
878| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20623 |
879+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
880| Unapproved | Low CVE-2018-12698 | binutils | 2.30-21ubuntu1~18.04.2 | demangle_template in cplus-dem.c in GNU libiberty, as |
881| | | | | distributed in GNU Binutils 2.30, allows attackers to |
882| | | | | trigger excessive memory consumption (aka OOM) during the |
883| | | | | "Create an array for saving the template argument values" |
884| | | | | XNEWVEC call. This can occur during execution of objdump. |
885| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-12698 |
886+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
887| Unapproved | Low CVE-2018-9138 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in cplus-dem.c in GNU libiberty, |
888| | | | | as distributed in GNU Binutils 2.29 and 2.30. Stack |
889| | | | | Exhaustion occurs in the C++ demangling functions provided |
890| | | | | by libiberty, and there are recursive stack frames: |
891| | | | | demangle_nested_args, demangle_args, do_arg, and do_type. |
892| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-9138 |
893+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
894| Unapproved | Low CVE-2019-1010204 | binutils | 2.30-21ubuntu1~18.04.2 | GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) |
895| | | | | is affected by: Improper Input Validation, Signed/Unsigned |
896| | | | | Comparison, Out-of-bounds Read. The impact is: Denial |
897| | | | | of service. The component is: gold/fileread.cc:497, |
898| | | | | elfcpp/elfcpp_file.h:644. The attack vector is: An ELF |
899| | | | | file with an invalid e_shoff header field must be opened. |
900| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1010204 |
901+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
902| Unapproved | Low CVE-2018-8945 | binutils | 2.30-21ubuntu1~18.04.2 | The bfd_section_from_shdr function in elf.c in the Binary File |
903| | | | | Descriptor (BFD) library (aka libbfd), as distributed in GNU |
904| | | | | Binutils 2.30, allows remote attackers to cause a denial of |
905| | | | | service (segmentation fault) via a large attribute section. |
906| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-8945 |
907+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
908| Unapproved | Low CVE-2019-9075 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
909| | | | | (BFD) library (aka libbfd), as distributed in GNU |
910| | | | | Binutils 2.32. It is a heap-based buffer overflow |
911| | | | | in _bfd_archive_64_bit_slurp_armap in archive64.c. |
912| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9075 |
913+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
914| Unapproved | Low CVE-2019-9070 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in GNU libiberty, as distributed in |
915| | | | | GNU Binutils 2.32. It is a heap-based buffer over-read in |
916| | | | | d_expression_1 in cp-demangle.c after many recursive calls. |
917| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9070 |
918+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
919| Unapproved | Low CVE-2019-9074 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
920| | | | | (BFD) library (aka libbfd), as distributed in GNU |
921| | | | | Binutils 2.32. It is an out-of-bounds read leading |
922| | | | | to a SEGV in bfd_getl32 in libbfd.c, when called |
923| | | | | from pex64_get_runtime_function in pei-x86_64.c. |
924| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9074 |
925+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
926| Unapproved | Low CVE-2018-17985 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in cp-demangle.c in GNU |
927| | | | | libiberty, as distributed in GNU Binutils 2.31. |
928| | | | | There is a stack consumption problem caused by the |
929| | | | | cplus_demangle_type function making recursive calls to |
930| | | | | itself in certain scenarios involving many 'P' characters. |
931| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17985 |
932+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
933| Unapproved | Low CVE-2018-18606 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the merge_strings function |
934| | | | | in merge.c in the Binary File Descriptor (BFD) library |
935| | | | | (aka libbfd), as distributed in GNU Binutils 2.31. There |
936| | | | | is a NULL pointer dereference in _bfd_add_merge_section |
937| | | | | when attempting to merge sections with large alignments. |
938| | | | | A specially crafted ELF allows remote attackers to |
939| | | | | cause a denial of service, as demonstrated by ld. |
940| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18606 |
941+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
942| Unapproved | Low CVE-2018-10373 | binutils | 2.30-21ubuntu1~18.04.2 | concat_filename in dwarf2.c in the Binary File Descriptor |
943| | | | | (BFD) library (aka libbfd), as distributed in GNU Binutils |
944| | | | | 2.30, allows remote attackers to cause a denial of |
945| | | | | service (NULL pointer dereference and application crash) |
946| | | | | via a crafted binary file, as demonstrated by nm-new. |
947| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10373 |
948+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
949| Unapproved | Low CVE-2017-13716 | binutils | 2.30-21ubuntu1~18.04.2 | The C++ symbol demangler routine in cplus-dem.c in libiberty, |
950| | | | | as distributed in GNU Binutils 2.29, allows remote attackers |
951| | | | | to cause a denial of service (excessive memory allocation and |
952| | | | | application crash) via a crafted file, as demonstrated by a call |
953| | | | | from the Binary File Descriptor (BFD) library (aka libbfd). |
954| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-13716 |
955+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
956| Unapproved | Low CVE-2018-12934 | binutils | 2.30-21ubuntu1~18.04.2 | remember_Ktype in cplus-dem.c in GNU libiberty, as |
957| | | | | distributed in GNU Binutils 2.30, allows attackers |
958| | | | | to trigger excessive memory consumption (aka |
959| | | | | OOM). This can occur during execution of cxxfilt. |
960| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-12934 |
961+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
962| Unapproved | Low CVE-2018-17794 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in cplus-dem.c in GNU libiberty, |
963| | | | | as distributed in GNU Binutils 2.31. There is a |
964| | | | | NULL pointer dereference in work_stuff_copy_to_from |
965| | | | | when called from iterate_demangle_function. |
966| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17794 |
967+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
968| Unapproved | Low CVE-2018-12699 | binutils | 2.30-21ubuntu1~18.04.2 | finish_stab in stabs.c in GNU Binutils 2.30 allows |
969| | | | | attackers to cause a denial of service (heap-based |
970| | | | | buffer overflow) or possibly have unspecified other |
971| | | | | impact, as demonstrated by an out-of-bounds write of |
972| | | | | 8 bytes. This can occur during execution of objdump. |
973| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-12699 |
974+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
975| Unapproved | Low CVE-2018-18605 | binutils | 2.30-21ubuntu1~18.04.2 | A heap-based buffer over-read issue was discovered in the |
976| | | | | function sec_merge_hash_lookup in merge.c in the Binary |
977| | | | | File Descriptor (BFD) library (aka libbfd), as distributed |
978| | | | | in GNU Binutils 2.31, because _bfd_add_merge_section |
979| | | | | mishandles section merges when size is not a multiple of |
980| | | | | entsize. A specially crafted ELF allows remote attackers |
981| | | | | to cause a denial of service, as demonstrated by ld. |
982| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18605 |
983+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
984| Unapproved | Low CVE-2019-9077 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in GNU Binutils 2.32. It is |
985| | | | | a heap-based buffer overflow in process_mips_specific |
986| | | | | in readelf.c via a malformed MIPS option section. |
987| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9077 |
988+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
989| Unapproved | Low CVE-2018-10535 | binutils | 2.30-21ubuntu1~18.04.2 | The ignore_section_sym function in elf.c in the Binary File |
990| | | | | Descriptor (BFD) library (aka libbfd), as distributed in GNU |
991| | | | | Binutils 2.30, does not validate the output_section pointer |
992| | | | | in the case of a symtab entry with a "SECTION" type that |
993| | | | | has a "0" value, which allows remote attackers to cause a |
994| | | | | denial of service (NULL pointer dereference and application |
995| | | | | crash) via a crafted file, as demonstrated by objcopy. |
996| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10535 |
997+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
998| Unapproved | Low CVE-2018-10534 | binutils | 2.30-21ubuntu1~18.04.2 | The _bfd_XX_bfd_copy_private_bfd_data_common function in |
999| | | | | peXXigen.c in the Binary File Descriptor (BFD) library (aka |
1000| | | | | libbfd), as distributed in GNU Binutils 2.30, processes a |
1001| | | | | negative Data Directory size with an unbounded loop that |
1002| | | | | increases the value of (external_IMAGE_DEBUG_DIRECTORY) |
1003| | | | | *edd so that the address exceeds its own memory |
1004| | | | | region, resulting in an out-of-bounds memory write, |
1005| | | | | as demonstrated by objcopy copying private info with |
1006| | | | | _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c. |
1007| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10534 |
1008+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1009| Unapproved | Low CVE-2019-9073 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
1010| | | | | (BFD) library (aka libbfd), as distributed in GNU |
1011| | | | | Binutils 2.32. It is an attempted excessive memory |
1012| | | | | allocation in _bfd_elf_slurp_version_tables in elf.c. |
1013| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9073 |
1014+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1015| Unapproved | Low CVE-2018-20673 | binutils | 2.30-21ubuntu1~18.04.2 | The demangle_template function in cplus-dem.c in GNU |
1016| | | | | libiberty, as distributed in GNU Binutils 2.31.1, contains |
1017| | | | | an integer overflow vulnerability (for "Create an array |
1018| | | | | for saving the template argument values") that can trigger |
1019| | | | | a heap-based buffer overflow, as demonstrated by nm. |
1020| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20673 |
1021+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1022| Unapproved | Low CVE-2018-12697 | binutils | 2.30-21ubuntu1~18.04.2 | A NULL pointer dereference (aka SEGV on unknown address |
1023| | | | | 0x000000000000) was discovered in work_stuff_copy_to_from |
1024| | | | | in cplus-dem.c in GNU libiberty, as distributed in GNU |
1025| | | | | Binutils 2.30. This can occur during execution of objdump. |
1026| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-12697 |
1027+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1028| Unapproved | Low CVE-2018-9996 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in cplus-dem.c in GNU libiberty, as |
1029| | | | | distributed in GNU Binutils 2.30. Stack Exhaustion occurs in |
1030| | | | | the C++ demangling functions provided by libiberty, and there |
1031| | | | | are recursive stack frames: demangle_template_value_parm, |
1032| | | | | demangle_integral_value, and demangle_expression. |
1033| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-9996 |
1034+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1035| Unapproved | Low CVE-2018-18483 | binutils | 2.30-21ubuntu1~18.04.2 | The get_count function in cplus-dem.c in GNU libiberty, as |
1036| | | | | distributed in GNU Binutils 2.31, allows remote attackers to |
1037| | | | | cause a denial of service (malloc called with the result of an |
1038| | | | | integer-overflowing calculation) or possibly have unspecified |
1039| | | | | other impact via a crafted string, as demonstrated by c++filt. |
1040| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18483 |
1041+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1042| Unapproved | Low CVE-2017-8845 | lzo2 | 2.08-1.2 | The lzo1x_decompress function in lzo1x_d.ch in LZO |
1043| | | | | 2.08, as used in lrzip 0.631, allows remote attackers |
1044| | | | | to cause a denial of service (invalid memory read |
1045| | | | | and application crash) via a crafted archive. |
1046| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-8845 |
1047+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1048| Unapproved | Low CVE-2019-12904 | libgcrypt20 | 1.8.1-4ubuntu1.2 | In Libgcrypt 1.8.4, the C implementation of AES is |
1049| | | | | vulnerable to a flush-and-reload side-channel attack |
1050| | | | | because physical addresses are available to other |
1051| | | | | processes. (The C implementation is used on platforms |
1052| | | | | where an assembly-language implementation is unavailable.) |
1053| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12904 |
1054+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1055| Unapproved | Low CVE-2018-17359 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor (BFD) |
1056| | | | | library (aka libbfd), as distributed in GNU Binutils 2.31. |
1057| | | | | An invalid memory access exists in bfd_zalloc in opncls.c. |
1058| | | | | Attackers could leverage this vulnerability to cause a denial |
1059| | | | | of service (application crash) via a crafted ELF file. |
1060| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17359 |
1061+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1062| Unapproved | Low CVE-2019-12972 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor (BFD) |
1063| | | | | library (aka libbfd), as distributed in GNU Binutils 2.32. |
1064| | | | | There is a heap-based buffer over-read in _bfd_doprnt in bfd.c |
1065| | | | | because elf_object_p in elfcode.h mishandles an e_shstrndx |
1066| | | | | section of type SHT_GROUP by omitting a trailing '\0' character. |
1067| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12972 |
1068+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1069| Unapproved | Low CVE-2016-2781 | coreutils | 8.28-1ubuntu1 | chroot in GNU coreutils, when used with --userspec, |
1070| | | | | allows local users to escape to the parent session |
1071| | | | | via a crafted TIOCSTI ioctl call, which pushes |
1072| | | | | characters to the terminal's input buffer. |
1073| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781 |
1074+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1075| Unapproved | Low CVE-2013-4235 | shadow | 1:4.5-1ubuntu2 | shadow: TOCTOU (time-of-check time-of-use) race |
1076| | | | | condition when copying and removing directory trees |
1077| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2013-4235 |
1078+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1079| Unapproved | Low CVE-2018-7169 | shadow | 1:4.5-1ubuntu2 | An issue was discovered in shadow 4.5. newgidmap (in |
1080| | | | | shadow-utils) is setuid and allows an unprivileged user |
1081| | | | | to be placed in a user namespace where setgroups(2) is |
1082| | | | | permitted. This allows an attacker to remove themselves |
1083| | | | | from a supplementary group, which may allow access to |
1084| | | | | certain filesystem paths if the administrator has used |
1085| | | | | "group blacklisting" (e.g., chmod g-rwx) to restrict access |
1086| | | | | to paths. This flaw effectively reverts a security feature |
1087| | | | | in the kernel (in particular, the /proc/self/setgroups |
1088| | | | | knob) to prevent this sort of privilege escalation. |
1089| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-7169 |
1090+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1091| Unapproved | Low CVE-2018-16868 | gnutls28 | 3.5.18-1ubuntu1.3 | A Bleichenbacher type side-channel based padding oracle |
1092| | | | | attack was found in the way gnutls handles verification |
1093| | | | | of RSA decrypted PKCS#1 v1.5 data. An attacker who is able |
1094| | | | | to run process on the same physical core as the victim |
1095| | | | | process, could use this to extract plaintext or in some |
1096| | | | | cases downgrade any TLS connections to a vulnerable server. |
1097| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16868 |
1098+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1099| Unapproved | Low CVE-2018-17360 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor (BFD) |
1100| | | | | library (aka libbfd), as distributed in GNU Binutils 2.31. a |
1101| | | | | heap-based buffer over-read in bfd_getl32 in libbfd.c allows an |
1102| | | | | attacker to cause a denial of service through a crafted PE file. |
1103| | | | | This vulnerability can be triggered by the executable objdump. |
1104| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17360 |
1105+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1106| Unapproved | Low CVE-2019-1551 | openssl1.0 | 1.0.2n-1ubuntu5.3 | There is an overflow bug in the x64_64 Montgomery squaring |
1107| | | | | procedure used in exponentiation with 512-bit moduli. No |
1108| | | | | EC algorithms are affected. Analysis suggests that attacks |
1109| | | | | against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 |
1110| | | | | as a result of this defect would be very difficult to |
1111| | | | | perform and are not believed likely. Attacks against DH512 |
1112| | | | | are considered just feasible. However, for an attack the |
1113| | | | | target would have to re-use the DH512 private key, which |
1114| | | | | is not recommended anyway. Also applications directly |
1115| | | | | using the low level API BN_mod_exp may be affected if they |
1116| | | | | use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected |
1117| | | | | 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t). |
1118| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551 |
1119+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1120| Unapproved | Low CVE-2019-9071 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in GNU libiberty, as |
1121| | | | | distributed in GNU Binutils 2.32. It is a stack |
1122| | | | | consumption issue in d_count_templates_scopes |
1123| | | | | in cp-demangle.c after many recursive calls. |
1124| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9071 |
1125+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1126| Unapproved | Low CVE-2019-2228 | cups | 2.2.7-1ubuntu2.7 | In array_find of array.c, there is a possible out-of-bounds |
1127| | | | | read due to an incorrect bounds check. This could lead to |
1128| | | | | local information disclosure in the printer spooler with no |
1129| | | | | additional execution privileges needed. User interaction is not |
1130| | | | | needed for exploitation.Product: AndroidVersions: Android-8.0 |
1131| | | | | Android-8.1 Android-9 Android-10Android ID: A-111210196 |
1132| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2228 |
1133+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1134| Unapproved | Low CVE-2018-18309 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
1135| | | | | (BFD) library (aka libbfd), as distributed in GNU |
1136| | | | | Binutils 2.31. An invalid memory address dereference was |
1137| | | | | discovered in read_reloc in reloc.c. The vulnerability |
1138| | | | | causes a segmentation fault and application crash, which |
1139| | | | | leads to denial of service, as demonstrated by objdump, |
1140| | | | | because of missing _bfd_clear_contents bounds checking. |
1141| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-18309 |
1142+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1143| Unapproved | Low CVE-2019-12098 | heimdal | 7.5.0+dfsg-1 | In the client side of Heimdal before 7.6.0, failure |
1144| | | | | to verify anonymous PKINIT PA-PKINIT-KX key exchange |
1145| | | | | permits a man-in-the-middle attack. This issue is in |
1146| | | | | krb5_init_creds_step in lib/krb5/init_creds_pw.c. |
1147| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12098 |
1148+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1149| Unapproved | Low CVE-2016-4484 | cryptsetup | 2:2.0.2-1ubuntu1.1 | The Debian initrd script for the cryptsetup package 2:1.7.3-2 |
1150| | | | | and earlier allows physically proximate attackers to gain shell |
1151| | | | | access via many log in attempts with an invalid password. |
1152| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-4484 |
1153+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1154| Unapproved | Low CVE-2018-15919 | openssh | 1:7.6p1-4ubuntu0.3 | Remotely observable behaviour in auth-gss2.c in OpenSSH |
1155| | | | | through 7.8 could be used by remote attackers to detect |
1156| | | | | existence of users on a target system when GSS2 is in |
1157| | | | | use. NOTE: the discoverer states 'We understand that |
1158| | | | | the OpenSSH developers do not want to treat such a |
1159| | | | | username enumeration (or "oracle") as a vulnerability.' |
1160| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-15919 |
1161+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1162| Unapproved | Low CVE-2019-6110 | openssh | 1:7.6p1-4ubuntu0.3 | In OpenSSH 7.9, due to accepting and displaying arbitrary stderr |
1163| | | | | output from the server, a malicious server (or Man-in-The-Middle |
1164| | | | | attacker) can manipulate the client output, for example to use |
1165| | | | | ANSI control codes to hide additional files being transferred. |
1166| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-6110 |
1167+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1168| Unapproved | Low CVE-2017-13736 | graphicsmagick | 1.3.28-2ubuntu0.1 | There are lots of memory leaks in the GMCommand |
1169| | | | | function in magick/command.c in GraphicsMagick 1.3.26 |
1170| | | | | that will lead to a remote denial of service attack. |
1171| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-13736 |
1172+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1173| Unapproved | Low CVE-2018-10372 | binutils | 2.30-21ubuntu1~18.04.2 | process_cu_tu_index in dwarf.c in GNU Binutils 2.30 |
1174| | | | | allows remote attackers to cause a denial of service |
1175| | | | | (heap-based buffer over-read and application crash) |
1176| | | | | via a crafted binary file, as demonstrated by readelf. |
1177| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10372 |
1178+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1179| Unapproved | Low CVE-2018-12641 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in arm_pt in cplus-dem.c in |
1180| | | | | GNU libiberty, as distributed in GNU Binutils 2.30. |
1181| | | | | Stack Exhaustion occurs in the C++ demangling functions |
1182| | | | | provided by libiberty, and there are recursive stack |
1183| | | | | frames: demangle_arm_hp_template, demangle_class_name, |
1184| | | | | demangle_fund_type, do_type, do_arg, demangle_args, and |
1185| | | | | demangle_nested_args. This can occur during execution of nm-new. |
1186| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-12641 |
1187+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1188| Unapproved | Low CVE-2019-14855 | gnupg2 | 2.2.4-1ubuntu1.2 | A flaw was found in the way certificate signatures could |
1189| | | | | be forged using collisions found in the SHA-1 algorithm. An |
1190| | | | | attacker could use this weakness to create forged certificate |
1191| | | | | signatures. This issue affects GnuPG versions before 2.2.18. |
1192| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14855 |
1193+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1194| Unapproved | Low CVE-2019-20454 | pcre2 | 10.31-2 | An out-of-bounds read was discovered in PCRE before 10.34 when |
1195| | | | | the pattern \X is JIT compiled and used to match specially |
1196| | | | | crafted subjects in non-UTF mode. Applications that use PCRE |
1197| | | | | to parse untrusted input may be vulnerable to this flaw, |
1198| | | | | which would allow an attacker to crash the application. The |
1199| | | | | flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. |
1200| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-20454 |
1201+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1202| Unapproved | Low CVE-2017-11164 | pcre3 | 2:8.39-9 | In PCRE 8.41, the OP_KETRMAX feature in the match function |
1203| | | | | in pcre_exec.c allows stack exhaustion (uncontrolled |
1204| | | | | recursion) when processing a crafted regular expression. |
1205| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164 |
1206+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1207| Unapproved | Low CVE-2019-13050 | gnupg2 | 2.2.4-1ubuntu1.2 | Interaction between the sks-keyserver code through 1.2.0 |
1208| | | | | of the SKS keyserver network, and GnuPG through 2.2.16, |
1209| | | | | makes it risky to have a GnuPG keyserver configuration |
1210| | | | | line referring to a host on the SKS keyserver network. |
1211| | | | | Retrieving data from this network may cause a persistent |
1212| | | | | denial of service, because of a Certificate Spamming Attack. |
1213| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-13050 |
1214+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1215| Unapproved | Low CVE-2018-20482 | tar | 1.29b-2ubuntu0.1 | GNU Tar through 1.30, when --sparse is used, mishandles |
1216| | | | | file shrinkage during read access, which allows local |
1217| | | | | users to cause a denial of service (infinite read loop |
1218| | | | | in sparse_dump_region in sparse.c) by modifying a file |
1219| | | | | that is supposed to be archived by a different user's |
1220| | | | | process (e.g., a system backup running as root). |
1221| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20482 |
1222+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1223| Unapproved | Low CVE-2018-14048 | libpng1.6 | 1.6.34-1ubuntu0.18.04.2 | An issue has been found in libpng 1.6.34. It is a SEGV |
1224| | | | | in the function png_free_data in png.c, related to |
1225| | | | | the recommended error handling for png_read_image. |
1226| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-14048 |
1227+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1228| Unapproved | Low CVE-2019-9923 | tar | 1.29b-2ubuntu0.1 | pax_decode_header in sparse.c in GNU Tar before 1.32 |
1229| | | | | had a NULL pointer dereference when parsing certain |
1230| | | | | archives that have malformed extended headers. |
1231| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9923 |
1232+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1233| Unapproved | Low CVE-2012-2663 | iptables | 1.6.1-2ubuntu2 | extensions/libxt_tcp.c in iptables through 1.4.21 |
1234| | | | | does not match TCP SYN+FIN packets in --syn rules, |
1235| | | | | which might allow remote attackers to bypass intended |
1236| | | | | firewall restrictions via crafted packets. NOTE: the |
1237| | | | | CVE-2012-6638 fix makes this issue less relevant. |
1238| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-2663 |
1239+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1240| Unapproved | Low CVE-2017-14159 | openldap | 2.4.45+dfsg-1ubuntu1.4 | slapd in OpenLDAP 2.4.45 and earlier creates a PID file |
1241| | | | | after dropping privileges to a non-root account, which |
1242| | | | | might allow local users to kill arbitrary processes by |
1243| | | | | leveraging access to this non-root account for PID file |
1244| | | | | modification before a root script executes a "kill `cat |
1245| | | | | /pathname`" command, as demonstrated by openldap-initscript. |
1246| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14159 |
1247+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1248| Unapproved | Low CVE-2017-15131 | xdg-user-dirs | 0.17-1ubuntu1 | It was found that system umask policy is not being |
1249| | | | | honored when creating XDG user directories, since |
1250| | | | | Xsession sources xdg-user-dirs.sh before setting |
1251| | | | | umask policy. This only affects xdg-user-dirs before |
1252| | | | | 0.15.5 as shipped with Red Hat Enterprise Linux. |
1253| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15131 |
1254+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1255| Unapproved | Low CVE-2019-1547 | openssl | 1.1.1-1ubuntu2.1~18.04.5 | Normally in OpenSSL EC groups always have a co-factor present |
1256| | | | | and this is used in side channel resistant code paths. |
1257| | | | | However, in some cases, it is possible to construct a group |
1258| | | | | using explicit parameters (instead of using a named curve). |
1259| | | | | In those cases it is possible that such a group does not |
1260| | | | | have the cofactor present. This can occur even where all the |
1261| | | | | parameters match a known named curve. If such a curve is used |
1262| | | | | then OpenSSL falls back to non-side channel resistant code |
1263| | | | | paths which may result in full key recovery during an ECDSA |
1264| | | | | signature operation. In order to be vulnerable an attacker |
1265| | | | | would have to have the ability to time the creation of a |
1266| | | | | large number of signatures where explicit parameters with no |
1267| | | | | co-factor present are in use by an application using libcrypto. |
1268| | | | | For the avoidance of doubt libssl is not vulnerable because |
1269| | | | | explicit parameters are never used. Fixed in OpenSSL 1.1.1d |
1270| | | | | (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected |
1271| | | | | 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
1272| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547 |
1273+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1274| Unapproved | Low CVE-2019-1563 | openssl | 1.1.1-1ubuntu2.1~18.04.5 | In situations where an attacker receives automated |
1275| | | | | notification of the success or failure of a decryption |
1276| | | | | attempt an attacker, after sending a very large number of |
1277| | | | | messages to be decrypted, can recover a CMS/PKCS7 transported |
1278| | | | | encryption key or decrypt any RSA encrypted message that was |
1279| | | | | encrypted with the public RSA key, using a Bleichenbacher |
1280| | | | | padding oracle attack. Applications are not affected if |
1281| | | | | they use a certificate together with the private RSA key |
1282| | | | | to the CMS_decrypt or PKCS7_decrypt functions to select the |
1283| | | | | correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d |
1284| | | | | (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected |
1285| | | | | 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
1286| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563 |
1287+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1288| Unapproved | Low CVE-2019-1549 | openssl | 1.1.1-1ubuntu2.1~18.04.5 | OpenSSL 1.1.1 introduced a rewritten random number generator |
1289| | | | | (RNG). This was intended to include protection in the event |
1290| | | | | of a fork() system call in order to ensure that the parent and |
1291| | | | | child processes did not share the same RNG state. However this |
1292| | | | | protection was not being used in the default case. A partial |
1293| | | | | mitigation for this issue is that the output from a high |
1294| | | | | precision timer is mixed into the RNG state so the likelihood |
1295| | | | | of a parent and child process sharing state is significantly |
1296| | | | | reduced. If an application already calls OPENSSL_init_crypto() |
1297| | | | | explicitly using OPENSSL_INIT_ATFORK then this problem does not |
1298| | | | | occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). |
1299| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549 |
1300+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1301| Unapproved | Low CVE-2019-1551 | openssl | 1.1.1-1ubuntu2.1~18.04.5 | There is an overflow bug in the x64_64 Montgomery squaring |
1302| | | | | procedure used in exponentiation with 512-bit moduli. No |
1303| | | | | EC algorithms are affected. Analysis suggests that attacks |
1304| | | | | against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 |
1305| | | | | as a result of this defect would be very difficult to |
1306| | | | | perform and are not believed likely. Attacks against DH512 |
1307| | | | | are considered just feasible. However, for an attack the |
1308| | | | | target would have to re-use the DH512 private key, which |
1309| | | | | is not recommended anyway. Also applications directly |
1310| | | | | using the low level API BN_mod_exp may be affected if they |
1311| | | | | use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected |
1312| | | | | 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t). |
1313| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551 |
1314+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1315| Unapproved | Low CVE-2018-17358 | binutils | 2.30-21ubuntu1~18.04.2 | An issue was discovered in the Binary File Descriptor |
1316| | | | | (BFD) library (aka libbfd), as distributed in GNU |
1317| | | | | Binutils 2.31. An invalid memory access exists in |
1318| | | | | _bfd_stab_section_find_nearest_line in syms.c. Attackers |
1319| | | | | could leverage this vulnerability to cause a denial of |
1320| | | | | service (application crash) via a crafted ELF file. |
1321| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17358 |
1322+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1323| Unapproved | Low CVE-2018-16869 | nettle | 3.4-1 | A Bleichenbacher type side-channel based padding oracle |
1324| | | | | attack was found in the way nettle handles endian conversion |
1325| | | | | of RSA decrypted PKCS#1 v1.5 data. An attacker who is able |
1326| | | | | to run a process on the same physical core as the victim |
1327| | | | | process, could use this flaw extract plaintext or in some |
1328| | | | | cases downgrade any TLS connections to a vulnerable server. |
1329| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16869 |
1330+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1331| Unapproved | Low CVE-2018-10126 | tiff | 4.0.9-5ubuntu0.3 | LibTIFF 4.0.9 has a NULL pointer dereference |
1332| | | | | in the jpeg_fdct_16x16 function in jfdctint.c. |
1333| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10126 |
1334+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1335| Unapproved | Low CVE-2017-9525 | cron | 3.0pl1-128.1ubuntu1 | In the cron package through 3.0pl1-128 on Debian, |
1336| | | | | and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst |
1337| | | | | maintainer script allows for group-crontab-to-root |
1338| | | | | privilege escalation via symlink attacks against |
1339| | | | | unsafe usage of the chown and chmod programs. |
1340| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9525 |
1341+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1342| Unapproved | Low CVE-2019-19645 | sqlite3 | 3.22.0-1ubuntu0.3 | alter.c in SQLite through 3.30.1 allows attackers to trigger |
1343| | | | | infinite recursion via certain types of self-referential |
1344| | | | | views in conjunction with ALTER TABLE statements. |
1345| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19645 |
1346+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1347| Unapproved | Low CVE-2018-8740 | sqlite3 | 3.22.0-1ubuntu0.3 | In SQLite through 3.22.0, databases whose schema is |
1348| | | | | corrupted using a CREATE TABLE AS statement could cause a |
1349| | | | | NULL pointer dereference, related to build.c and prepare.c. |
1350| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-8740 |
1351+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1352| Unapproved | Low CVE-2019-19603 | sqlite3 | 3.22.0-1ubuntu0.3 | SQLite 3.30.1 mishandles certain SELECT statements with |
1353| | | | | a nonexistent VIEW, leading to an application crash. |
1354| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19603 |
1355+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1356| Unapproved | Low CVE-2009-5155 | glibc | 2.27-3ubuntu1 | In the GNU C Library (aka glibc or libc6) before 2.28, |
1357| | | | | parse_reg_exp in posix/regcomp.c misparses alternatives, |
1358| | | | | which allows attackers to cause a denial of service |
1359| | | | | (assertion failure and application exit) or trigger an |
1360| | | | | incorrect result by attempting a regular-expression match. |
1361| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155 |
1362+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1363| Unapproved | Low CVE-2019-19232 | sudo | 1.8.21p2-3ubuntu1.2 | ** DISPUTED ** In Sudo through 1.8.29, an attacker with |
1364| | | | | access to a Runas ALL sudoer account can impersonate a |
1365| | | | | nonexistent user by invoking sudo with a numeric uid that is |
1366| | | | | not associated with any user. NOTE: The software maintainer |
1367| | | | | believes that this is not a vulnerability because running a |
1368| | | | | command via sudo as a user not present in the local password |
1369| | | | | database is an intentional feature. Because this behavior |
1370| | | | | surprised some users, sudo 1.8.30 introduced an option to |
1371| | | | | enable/disable this behavior with the default being disabled. |
1372| | | | | However, this does not change the fact that sudo was behaving |
1373| | | | | as intended, and as documented, in earlier versions. |
1374| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19232 |
1375+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1376| Unapproved | Low CVE-2019-19234 | sudo | 1.8.21p2-3ubuntu1.2 | ** DISPUTED ** In Sudo through 1.8.29, the fact that a user |
1377| | | | | has been blocked (e.g., by using the ! character in the shadow |
1378| | | | | file instead of a password hash) is not considered, allowing |
1379| | | | | an attacker (who has access to a Runas ALL sudoer account) to |
1380| | | | | impersonate any blocked user. NOTE: The software maintainer |
1381| | | | | believes that this CVE is not valid. Disabling local password |
1382| | | | | authentication for a user is not the same as disabling all |
1383| | | | | access to that user--the user may still be able to login via |
1384| | | | | other means (ssh key, kerberos, etc). Both the Linux shadow(5) |
1385| | | | | and passwd(1) manuals are clear on this. Indeed it is a valid |
1386| | | | | use case to have local accounts that are _only_ accessible |
1387| | | | | via sudo and that cannot be logged into with a password. |
1388| | | | | Sudo 1.8.30 added an optional setting to check the _shell_ |
1389| | | | | of the target user (not the encrypted password!) against the |
1390| | | | | contents of /etc/shells but that is not the same thing as |
1391| | | | | preventing access to users with an invalid password hash. |
1392| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19234 |
1393+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1394| Unapproved | Low CVE-2018-20651 | binutils | 2.30-21ubuntu1~18.04.2 | A NULL pointer dereference was discovered in |
1395| | | | | elf_link_add_object_symbols in elflink.c in the Binary File |
1396| | | | | Descriptor (BFD) library (aka libbfd), as distributed in GNU |
1397| | | | | Binutils 2.31.1. This occurs for a crafted ET_DYN with no |
1398| | | | | program headers. A specially crafted ELF file allows remote |
1399| | | | | attackers to cause a denial of service, as demonstrated by ld. |
1400| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20651 |
1401+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1402| Unapproved | Low CVE-2019-18276 | bash | 4.4.18-2ubuntu1.2 | An issue was discovered in disable_priv_mode in shell.c in GNU |
1403| | | | | Bash through 5.0 patch 11. By default, if Bash is run with its |
1404| | | | | effective UID not equal to its real UID, it will drop privileges |
1405| | | | | by setting its effective UID to its real UID. However, it does |
1406| | | | | so incorrectly. On Linux and other systems that support "saved |
1407| | | | | UID" functionality, the saved UID is not dropped. An attacker |
1408| | | | | with command execution in the shell can use "enable -f" for |
1409| | | | | runtime loading of a new builtin, which can be a shared object |
1410| | | | | that calls setuid() and therefore regains privileges. However, |
1411| | | | | binaries running with an effective UID of 0 are unaffected. |
1412| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276 |
1413+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1414| Unapproved | Low CVE-2015-8985 | glibc | 2.27-3ubuntu1 | The pop_fail_stack function in the GNU C Library (aka glibc |
1415| | | | | or libc6) allows context-dependent attackers to cause a denial |
1416| | | | | of service (assertion failure and application crash) via |
1417| | | | | vectors related to extended regular expression processing. |
1418| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-8985 |
1419+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1420| Unapproved | Low CVE-2018-20002 | binutils | 2.30-21ubuntu1~18.04.2 | The _bfd_generic_read_minisymbols function in syms.c in |
1421| | | | | the Binary File Descriptor (BFD) library (aka libbfd), |
1422| | | | | as distributed in GNU Binutils 2.31, has a memory |
1423| | | | | leak via a crafted ELF file, leading to a denial of |
1424| | | | | service (memory consumption), as demonstrated by nm. |
1425| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20002 |
1426+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1427| Unapproved | Low CVE-2019-9169 | glibc | 2.27-3ubuntu1 | In the GNU C Library (aka glibc or libc6) through |
1428| | | | | 2.29, proceed_next_node in posix/regexec.c has |
1429| | | | | a heap-based buffer over-read via an attempted |
1430| | | | | case-insensitive regular-expression match. |
1431| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9169 |
1432+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1433| Unapproved | Low CVE-2018-13033 | binutils | 2.30-21ubuntu1~18.04.2 | The Binary File Descriptor (BFD) library (aka libbfd), as |
1434| | | | | distributed in GNU Binutils 2.30, allows remote attackers to |
1435| | | | | cause a denial of service (excessive memory allocation and |
1436| | | | | application crash) via a crafted ELF file, as demonstrated |
1437| | | | | by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc |
1438| | | | | in libbfd.c. This can occur during execution of nm. |
1439| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-13033 |
1440+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1441| Unapproved | Low CVE-2018-1000021 | git | 1:2.26.2-0ppa1~ubuntu18.04.1 | GIT version 2.15.1 and earlier contains a Input Validation Error |
1442| | | | | vulnerability in Client that can result in problems including |
1443| | | | | messing up terminal configuration to RCE. This attack appear |
1444| | | | | to be exploitable via The user must interact with a malicious |
1445| | | | | git server, (or have their traffic modified in a MITM attack). |
1446| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000021 |
1447+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1448| Unapproved | Low CVE-2019-1563 | openssl1.0 | 1.0.2n-1ubuntu5.3 | In situations where an attacker receives automated |
1449| | | | | notification of the success or failure of a decryption |
1450| | | | | attempt an attacker, after sending a very large number of |
1451| | | | | messages to be decrypted, can recover a CMS/PKCS7 transported |
1452| | | | | encryption key or decrypt any RSA encrypted message that was |
1453| | | | | encrypted with the public RSA key, using a Bleichenbacher |
1454| | | | | padding oracle attack. Applications are not affected if |
1455| | | | | they use a certificate together with the private RSA key |
1456| | | | | to the CMS_decrypt or PKCS7_decrypt functions to select the |
1457| | | | | correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d |
1458| | | | | (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected |
1459| | | | | 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
1460| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563 |
1461+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1462| Unapproved | Low CVE-2016-10739 | glibc | 2.27-3ubuntu1 | In the GNU C Library (aka glibc or libc6) through 2.28, the |
1463| | | | | getaddrinfo function would successfully parse a string that |
1464| | | | | contained an IPv4 address followed by whitespace and arbitrary |
1465| | | | | characters, which could lead applications to incorrectly assume |
1466| | | | | that it had parsed a valid string, without the possibility of |
1467| | | | | embedded HTTP headers or other potentially dangerous substrings. |
1468| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10739 |
1469+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1470| Unapproved | Low CVE-2015-9019 | libxslt | 1.1.29-5ubuntu0.2 | In libxslt 1.1.29 and earlier, the EXSLT math.random |
1471| | | | | function was not initialized with a random |
1472| | | | | seed during startup, which could cause usage of |
1473| | | | | this function to produce predictable outputs. |
1474| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-9019 |
1475+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1476| Unapproved | Negligible CVE-2019-7309 | glibc | 2.27-3ubuntu1 | In the GNU C Library (aka glibc or libc6) through 2.29, the |
1477| | | | | memcmp function for the x32 architecture can incorrectly |
1478| | | | | return zero (indicating that the inputs are equal) |
1479| | | | | because the RDX most significant bit is mishandled. |
1480| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7309 |
1481+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1482| Unapproved | Negligible CVE-2019-9192 | glibc | 2.27-3ubuntu1 | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) |
1483| | | | | through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c |
1484| | | | | has Uncontrolled Recursion, as demonstrated by '(|)(\\1\\1)*' |
1485| | | | | in grep, a different issue than CVE-2018-20796. NOTE: the |
1486| | | | | software maintainer disputes that this is a vulnerability |
1487| | | | | because the behavior occurs only with a crafted pattern. |
1488| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192 |
1489+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1490| Unapproved | Negligible CVE-2018-20796 | glibc | 2.27-3ubuntu1 | In the GNU C Library (aka glibc or libc6) through |
1491| | | | | 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c |
1492| | | | | has Uncontrolled Recursion, as demonstrated |
1493| | | | | by '(\227|)(\\1\\1|t1|\\\2537)+' in grep. |
1494| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796 |
1495+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1496| Unapproved | Negligible CVE-2018-5709 | krb5 | 1.16-2ubuntu0.1 | An issue was discovered in MIT Kerberos 5 (aka krb5) |
1497| | | | | through 1.16. There is a variable "dbentry->n_key_data" in |
1498| | | | | kadmin/dbutil/dump.c that can store 16-bit data but unknowingly |
1499| | | | | the developer has assigned a "u4" variable to it, which |
1500| | | | | is for 32-bit data. An attacker can use this vulnerability |
1501| | | | | to affect other artifacts of the database as we know that |
1502| | | | | a Kerberos database dump file contains trusted data. |
1503| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709 |
1504+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1505| Unapproved | Negligible CVE-2020-11656 | sqlite3 | 3.22.0-1ubuntu0.3 | In SQLite through 3.31.1, the ALTER TABLE implementation |
1506| | | | | has a use-after-free, as demonstrated by an ORDER BY |
1507| | | | | clause that belongs to a compound SELECT statement. |
1508| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-11656 |
1509+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1510| Unapproved | Negligible CVE-2018-6952 | patch | 2.7.6-2ubuntu1.1 | A double free exists in the another_hunk |
1511| | | | | function in pch.c in GNU patch through 2.7.6. |
1512| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952 |
1513+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1514| Unapproved | Negligible CVE-2019-11360 | iptables | 1.6.1-2ubuntu2 | A buffer overflow in iptables-restore in netfilter |
1515| | | | | iptables 1.8.2 allows an attacker to (at least) |
1516| | | | | crash the program or potentially gain code execution |
1517| | | | | via a specially crafted iptables-save file. This |
1518| | | | | is related to add_param_to_argv in xshared.c. |
1519| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-11360 |
1520+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1521| Unapproved | Negligible CVE-2017-7245 | pcre3 | 2:8.39-9 | Stack-based buffer overflow in the pcre32_copy_substring |
1522| | | | | function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote |
1523| | | | | attackers to cause a denial of service (WRITE of size 4) or |
1524| | | | | possibly have unspecified other impact via a crafted file. |
1525| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7245 |
1526+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1527| Unapproved | Negligible CVE-2017-7246 | pcre3 | 2:8.39-9 | Stack-based buffer overflow in the pcre32_copy_substring |
1528| | | | | function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote |
1529| | | | | attackers to cause a denial of service (WRITE of size 268) or |
1530| | | | | possibly have unspecified other impact via a crafted file. |
1531| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7246 |
1532+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1533| Unapproved | Negligible CVE-2018-7738 | util-linux | 2.31.1-0.4ubuntu3.5 | In util-linux before 2.32-rc1, bash-completion/umount |
1534| | | | | allows local users to gain privileges by embedding |
1535| | | | | shell commands in a mountpoint name, which is mishandled |
1536| | | | | during a umount command (within Bash) by a different |
1537| | | | | user, as demonstrated by logging in as root and entering |
1538| | | | | umount followed by a tab character for autocompletion. |
1539| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-7738 |
1540+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1541| Unapproved | Negligible CVE-2017-8283 | dpkg | 1.19.0.5ubuntu2.3 | dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a |
1542| | | | | non-GNU patch program and does not offer a protection mechanism |
1543| | | | | for blank-indented diff hunks, which allows remote attackers to |
1544| | | | | conduct directory traversal attacks via a crafted Debian source |
1545| | | | | package, as demonstrated by use of dpkg-source on NetBSD. |
1546| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-8283 |
1547+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1548| Unapproved | Negligible CVE-2018-1000654 | libtasn1-6 | 4.13-2 | GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, |
1549| | | | | libtasn1-4.12 contains a DoS, specifically CPU usage |
1550| | | | | will reach 100% when running asn1Paser against the POC |
1551| | | | | due to an issue in _asn1_expand_object_id(p_tree), after |
1552| | | | | a long time, the program will be killed. This attack |
1553| | | | | appears to be exploitable via parsing a crafted file. |
1554| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000654 |
1555+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1556| Unapproved | Negligible CVE-2017-9937 | jbigkit | 2.1-3.1build1 | In LibTIFF 4.0.8, there is a memory malloc failure |
1557| | | | | in tif_jbig.c. A crafted TIFF document can lead to an |
1558| | | | | abort resulting in a remote denial of service attack. |
1559| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9937 |
1560+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1561| Unapproved | Negligible CVE-2019-17595 | ncurses | 6.1-1ubuntu1.18.04 | There is a heap-based buffer over-read in the |
1562| | | | | fmt_entry function in tinfo/comp_hash.c in the |
1563| | | | | terminfo library in ncurses before 6.1-20191012. |
1564| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-17595 |
1565+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1566| Unapproved | Negligible CVE-2019-17594 | ncurses | 6.1-1ubuntu1.18.04 | There is a heap-based buffer over-read in the |
1567| | | | | _nc_find_entry function in tinfo/comp_hash.c in the |
1568| | | | | terminfo library in ncurses before 6.1-20191012. |
1569| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-17594 |
1570+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1571| Unapproved | Negligible CVE-2016-10228 | glibc | 2.27-3ubuntu1 | The iconv program in the GNU C Library (aka glibc or |
1572| | | | | libc6) 2.25 and earlier, when invoked with the -c option, |
1573| | | | | enters an infinite loop when processing invalid multi-byte |
1574| | | | | input sequences, leading to a denial of service. |
1575| | | | | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10228 |
1576+------------+-----------------------------+----------------+------------------------------+------------------------------------------------------------------+
1577 Running after_script 00:02
1578 Saving cache 00:01
1579 Uploading artifacts for successful job 00:04
1580Uploading artifacts...
1581gl-sast-container-report.json: found 1 matching files
1582Uploading artifacts to coordinator... ok id=532348993 responseStatus=201 Created token=UaocxzsR
1583Job succeeded