Merge branch 'ce-9090-follow_up_on_store_container_scanning_results_in_db' into 'master'
Backport container scanning fixtures See merge request gitlab-org/gitlab-ce!24292
This commit is contained in:
commit
33d69aaeee
|
@ -1,18 +1,16 @@
|
|||
{
|
||||
"image": "registry.gitlab.com/bikebilly/auto-devops-10-6/feature-branch:e7315ba964febb11bac8f5cd6ec433db8a3a1583",
|
||||
"unapproved": [
|
||||
"CVE-2017-15650"
|
||||
],
|
||||
"vulnerabilities": [
|
||||
{
|
||||
"featurename": "musl",
|
||||
"featureversion": "1.1.14-r15",
|
||||
"vulnerability": "CVE-2017-15650",
|
||||
"namespace": "alpine:v3.4",
|
||||
"description": "",
|
||||
"link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15650",
|
||||
"severity": "Medium",
|
||||
"fixedby": "1.1.14-r16"
|
||||
}
|
||||
]
|
||||
"image": "registry.gitlab.com/bikebilly/auto-devops-10-6/feature-branch:e7315ba964febb11bac8f5cd6ec433db8a3a1583",
|
||||
"unapproved": ["CVE-2017-15650"],
|
||||
"vulnerabilities": [
|
||||
{
|
||||
"featurename": "musl",
|
||||
"featureversion": "1.1.14-r15",
|
||||
"vulnerability": "CVE-2017-15650",
|
||||
"namespace": "alpine:v3.4",
|
||||
"description": "",
|
||||
"link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15650",
|
||||
"severity": "Medium",
|
||||
"fixedby": "1.1.14-r16"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -1,92 +1,92 @@
|
|||
{
|
||||
"image": "registry.gitlab.com/groulot/container-scanning-test/master:5f21de6956aee99ddb68ae49498662d9872f50ff",
|
||||
"unapproved": [
|
||||
"CVE-2017-18018",
|
||||
"CVE-2016-2781",
|
||||
"CVE-2017-12424",
|
||||
"CVE-2007-5686",
|
||||
"CVE-2013-4235"
|
||||
],
|
||||
"vulnerabilities": [
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2017-18269",
|
||||
"namespace": "debian:9",
|
||||
"description": "SSE2-optimized memmove implementation problem.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2017-18269",
|
||||
"severity": "Defcon1",
|
||||
"fixedby": "2.24-11+deb9u4"
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2017-16997",
|
||||
"namespace": "debian:9",
|
||||
"description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
|
||||
"severity": "Critical",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2018-1000001",
|
||||
"namespace": "debian:9",
|
||||
"description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1000001",
|
||||
"severity": "High",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2016-10228",
|
||||
"namespace": "debian:9",
|
||||
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
|
||||
"severity": "Medium",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "elfutils",
|
||||
"featureversion": "0.168-1",
|
||||
"vulnerability": "CVE-2018-18520",
|
||||
"namespace": "debian:9",
|
||||
"description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-18520",
|
||||
"severity": "Low",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2010-4052",
|
||||
"namespace": "debian:9",
|
||||
"description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
|
||||
"severity": "Negligible",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "nettle",
|
||||
"featureversion": "3.3-1",
|
||||
"vulnerability": "CVE-2018-16869",
|
||||
"namespace": "debian:9",
|
||||
"description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-16869",
|
||||
"severity": "Unknown",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "perl",
|
||||
"featureversion": "5.24.1-3+deb9u4",
|
||||
"vulnerability": "CVE-2018-18311",
|
||||
"namespace": "debian:9",
|
||||
"description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-18311",
|
||||
"severity": "Unknown",
|
||||
"fixedby": "5.24.1-3+deb9u5"
|
||||
}
|
||||
]
|
||||
}
|
||||
"image": "registry.gitlab.com/groulot/container-scanning-test/master:5f21de6956aee99ddb68ae49498662d9872f50ff",
|
||||
"unapproved": [
|
||||
"CVE-2017-18018",
|
||||
"CVE-2016-2781",
|
||||
"CVE-2017-12424",
|
||||
"CVE-2007-5686",
|
||||
"CVE-2013-4235"
|
||||
],
|
||||
"vulnerabilities": [
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2017-18269",
|
||||
"namespace": "debian:9",
|
||||
"description": "SSE2-optimized memmove implementation problem.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2017-18269",
|
||||
"severity": "Defcon1",
|
||||
"fixedby": "2.24-11+deb9u4"
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2017-16997",
|
||||
"namespace": "debian:9",
|
||||
"description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
|
||||
"severity": "Critical",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2018-1000001",
|
||||
"namespace": "debian:9",
|
||||
"description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1000001",
|
||||
"severity": "High",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2016-10228",
|
||||
"namespace": "debian:9",
|
||||
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
|
||||
"severity": "Medium",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "elfutils",
|
||||
"featureversion": "0.168-1",
|
||||
"vulnerability": "CVE-2018-18520",
|
||||
"namespace": "debian:9",
|
||||
"description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-18520",
|
||||
"severity": "Low",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "glibc",
|
||||
"featureversion": "2.24-11+deb9u3",
|
||||
"vulnerability": "CVE-2010-4052",
|
||||
"namespace": "debian:9",
|
||||
"description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
|
||||
"severity": "Negligible",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "nettle",
|
||||
"featureversion": "3.3-1",
|
||||
"vulnerability": "CVE-2018-16869",
|
||||
"namespace": "debian:9",
|
||||
"description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-16869",
|
||||
"severity": "Unknown",
|
||||
"fixedby": ""
|
||||
},
|
||||
{
|
||||
"featurename": "perl",
|
||||
"featureversion": "5.24.1-3+deb9u4",
|
||||
"vulnerability": "CVE-2018-18311",
|
||||
"namespace": "debian:9",
|
||||
"description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
|
||||
"link": "https://security-tracker.debian.org/tracker/CVE-2018-18311",
|
||||
"severity": "Unknown",
|
||||
"fixedby": "5.24.1-3+deb9u5"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue