Created
September 19, 2016 18:55
-
-
Save v1k0d3n/2b7dc9256cf906fc064e7e7e8049c09d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bjozsa@megatron ~ ❯❯❯ analyze-local-images 31347bae83b8 | |
| 2016-09-19 14:54:26.423641 I | Saving 31347bae83b8 to local disk (this may take some time) | |
| 2016-09-19 14:54:29.278098 I | Retrieving image history | |
| 2016-09-19 14:54:29.278220 I | Analyzing 14 layers... | |
| 2016-09-19 14:54:29.278227 I | Analyzing 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| 2016-09-19 14:54:29.279617 I | Analyzing 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| 2016-09-19 14:54:29.280781 I | Analyzing a42428a792e24fb647ba5dae989e830208905b788ec9fe5ca999af8542511de7 | |
| 2016-09-19 14:54:29.281745 I | Analyzing 9af0912d5afe6bdae86d1af5d667093ec99db3894a8f577d1ed36c95c83a6be8 | |
| 2016-09-19 14:54:29.282689 I | Analyzing 5f2b525a42b49d22793547a1d0b419206d7c544bcf5f59f99df02323e0a36c3a | |
| 2016-09-19 14:54:29.283579 I | Analyzing 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| 2016-09-19 14:54:29.284493 I | Analyzing 5b33d2bda4e270c88ccb24dd56e75f8c8bd69875ce2de9d17b2f7d066c2878c2 | |
| 2016-09-19 14:54:29.285370 I | Analyzing a3954baecab1f3c6e5c0d32f41f2490cad55e711662af541c94d58b69d32b5e6 | |
| 2016-09-19 14:54:29.286252 I | Analyzing de4758f98782b37f269d9a475bda92df32291655d5e5a32e36d7ff0265e85c6e | |
| 2016-09-19 14:54:29.287204 I | Analyzing 974d96fd3cad322c011b48c5a26978b168537325306c39c4b128933a244e4b5e | |
| 2016-09-19 14:54:29.287980 I | Analyzing a6cc704a9f105c84c73febcc771730135a1ca3a43f8548697b9b388f480f41b7 | |
| 2016-09-19 14:54:29.288843 I | Analyzing a7fc8ee5cc0e4fbea2918ea5443b66aae2c5821fdac655a500478781db12faec | |
| 2016-09-19 14:54:29.289715 I | Analyzing f0e2d5ce752bbef8168f54a69e4d638482169041936721864fa34a860f8b97df | |
| 2016-09-19 14:54:29.290617 I | Analyzing 08aa3af80935a1ec3c35663f0744ad42571717089882cd9e8f36134c67c4589f | |
| 2016-09-19 14:54:29.291504 I | Retrieving image's vulnerabilities | |
| Clair report for image 31347bae83b8 (2016-09-19 18:54:29.297856755 +0000 UTC) | |
| CVE-2016-1951 (High) | |
| Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime | |
| (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer | |
| overflow) or possibly have unspecified other impact via a long string to a | |
| PR_*printf function. | |
| Package: nspr @ 2:4.10.7-1+deb8u1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-1951 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-2182 (High) | |
| The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not | |
| properly validate division results, which allows remote attackers to cause a | |
| denial of service (out-of-bounds write and application crash) or possibly have | |
| unspecified other impact via unknown vectors. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2182 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-0494 (High) | |
| Unspecified vulnerability in the Java SE and Java SE Embedded components in | |
| Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote | |
| attackers to affect confidentiality, integrity, and availability via unknown | |
| vectors related to 2D. | |
| Package: icu @ 52.1-8+deb8u3 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-0494 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-2834 (High) | |
| Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox | |
| before 47.0, allows remote attackers to cause a denial of service (memory | |
| corruption and application crash) or possibly have unspecified other impact via | |
| unknown vectors. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2834 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-6303 (High) | |
| Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in | |
| OpenSSL before 1.1.0 allows remote attackers to cause a denial of service | |
| (out-of-bounds write and application crash) or possibly have unspecified other | |
| impact via unknown vectors. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6303 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-1978 (High) | |
| Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in | |
| Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox | |
| before 44.0, allows remote attackers to cause a denial of service or possibly | |
| have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at | |
| a time of high memory consumption. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-1978 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2015-7181 (High) | |
| The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) | |
| before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and | |
| Firefox ESR 38.x before 38.4 and other products, improperly restricts access to | |
| an unspecified data structure, which allows remote attackers to cause a denial | |
| of service (application crash) or possibly execute arbitrary code via crafted | |
| OCTET STRING data, related to a "use-after-poison" issue. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-7181 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2015-7182 (High) | |
| Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security | |
| Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox | |
| before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote | |
| attackers to cause a denial of service (application crash) or possibly execute | |
| arbitrary code via crafted OCTET STRING data. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-7182 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-6293 (High) | |
| The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International | |
| Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there | |
| is a '\0' character at the end of a certain temporary array, which allows remote | |
| attackers to cause a denial of service (out-of-bounds read) or possibly have | |
| unspecified other impact via a call with a long httpAcceptLanguage argument. | |
| Package: icu @ 52.1-8+deb8u3 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6293 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2015-4844 (High) | |
| Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE | |
| Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and | |
| availability via unknown vectors related to 2D. | |
| Package: icu @ 52.1-8+deb8u3 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-4844 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2014-9761 (High) | |
| Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) | |
| before 2.23 allow context-dependent attackers to cause a denial of service | |
| (application crash) or possibly execute arbitrary code via a long argument to | |
| the (1) nan, (2) nanf, or (3) nanl function. | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2014-9761 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2016-4429 (High) | |
| Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in | |
| the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial | |
| of service (crash) or possibly unspecified other impact via a flood of crafted | |
| ICMP and UDP packets. | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Fixed version: 2.19-18+deb8u5 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-4429 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2016-2181 (Medium) | |
| The Anti-Replay feature in the DTLS implementation in OpenSSL before | |
| 1.1.0 mishandles early use of a new epoch number in conjunction with a | |
| large sequence number, which allows remote attackers to cause a denial of | |
| service (false-positive packet drops) via spoofed DTLS records, related to | |
| rec_layer_d1.c and ssl3_record.c. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2181 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-6302 (Medium) | |
| The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does | |
| not consider the HMAC size during validation of the ticket length, which allows | |
| remote attackers to cause a denial of service via a ticket that is too short. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6302 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-2180 (Medium) | |
| The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key | |
| Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through | |
| 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read | |
| and application crash) via a crafted time-stamp file that is mishandled by the | |
| "openssl ts" command. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2180 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2015-5276 (Medium) | |
| The std::random_device class in libstdc++ in the GNU Compiler Collection (aka | |
| GCC) before 4.9.4 does not properly handle short reads from blocking sources, | |
| which makes it easier for context-dependent attackers to predict the random | |
| values via unspecified vectors. | |
| Package: gcc-4.9 @ 4.9.2-10 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-5276 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2016-6261 (Medium) | |
| The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows | |
| context-dependent attackers to cause a denial of service (out-of-bounds read and | |
| crash) via 64 bytes of input. | |
| Package: libidn @ 1.29-1+deb8u1 | |
| Fixed version: 1.29-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6261 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-1938 (Medium) | |
| The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security | |
| Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly | |
| divides numbers, which might make it easier for remote attackers to defeat | |
| cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) | |
| mp_exptmod function. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-1938 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-1234 (Medium) | |
| Stack-based buffer overflow in the glob implementation in GNU C Library (aka | |
| glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent | |
| attackers to cause a denial of service (crash) via a long name. | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Fixed version: 2.19-18+deb8u5 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-1234 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2015-2632 (Medium) | |
| Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote | |
| attackers to affect confidentiality via unknown vectors related to 2D. | |
| Package: icu @ 52.1-8+deb8u3 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-2632 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-3120 (Medium) | |
| The validate_as_request function in kdc_util.c in the Key Distribution Center | |
| (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when | |
| restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, | |
| which allows remote authenticated users to cause a denial of service (NULL | |
| pointer dereference and daemon crash) via an S4U2Self request. | |
| Package: krb5 @ 1.12.1+dfsg-19+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-3120 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2015-2694 (Medium) | |
| The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before | |
| 1.13.2 do not properly track whether a client's request has been validated, | |
| which allows remote attackers to bypass an intended preauthentication | |
| requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, | |
| related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c. | |
| Package: krb5 @ 1.12.1+dfsg-19+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-2694 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-6263 (Medium) | |
| The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 | |
| allows context-dependent attackers to cause a denial of service (out-of-bounds | |
| read and crash) via crafted UTF-8 data. | |
| Package: libidn @ 1.29-1+deb8u1 | |
| Fixed version: 1.29-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6263 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-1950 (Medium) | |
| Heap-based buffer overflow in Mozilla Network Security Services (NSS) before | |
| 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before | |
| 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute | |
| arbitrary code via crafted ASN.1 data in an X.509 certificate. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-1950 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2015-5531 (Medium) | |
| Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote | |
| attackers to read arbitrary files via unspecified vectors related to snapshot | |
| API calls. | |
| Package: elasticsearch @ 2.4.0 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-5531 | |
| Layer: a6cc704a9f105c84c73febcc771730135a1ca3a43f8548697b9b388f480f41b7 | |
| CVE-2016-1979 (Medium) | |
| Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey | |
| function in Mozilla Network Security Services (NSS) before 3.21.1, as used | |
| in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of | |
| service or possibly have unspecified other impact via crafted key data with DER | |
| encoding. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-1979 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2015-4000 (Medium) | |
| The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on | |
| a server but not on a client, does not properly convey a DHE_EXPORT choice, | |
| which allows man-in-the-middle attackers to conduct cipher-downgrade attacks | |
| by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a | |
| ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-4000 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-4971 (Medium) | |
| GNU wget before 1.18 allows remote servers to write to arbitrary files by | |
| redirecting a request from HTTP to a crafted FTP resource. | |
| Package: wget @ 1.16-1 | |
| Fixed version: 1.16-1+deb8u1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-4971 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-2179 (Medium) | |
| The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the | |
| lifetime of queue entries associated with unused out-of-order messages, which | |
| allows remote attackers to cause a denial of service (memory consumption) by | |
| maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, | |
| statem_dtls.c, statem_lib.c, and statem_srvr.c. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2179 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2015-8948 (Medium) | |
| idn in GNU libidn before 1.33 might allow remote attackers to obtain sensitive | |
| memory information by reading a zero byte as input, which triggers an | |
| out-of-bounds read. | |
| Package: libidn @ 1.29-1+deb8u1 | |
| Fixed version: 1.29-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-8948 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-3706 (Medium) | |
| Stack-based buffer overflow in the getaddrinfo function in | |
| sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows | |
| remote attackers to cause a denial of service (crash) via vectors involving | |
| hostent conversion. NOTE: this vulnerability exists because of an incomplete fix | |
| for CVE-2013-4458. | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Fixed version: 2.19-18+deb8u5 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-3706 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2011-3389 (Medium) | |
| The SSL protocol, as used in certain configurations in Microsoft Windows and | |
| Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other | |
| products, encrypts data by using CBC mode with chained initialization vectors, | |
| which allows man-in-the-middle attackers to obtain plaintext HTTP headers via | |
| a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction | |
| with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java | |
| URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. | |
| Package: gnutls28 @ 3.3.8-6+deb8u3 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2011-3389 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-3075 (Medium) | |
| Stack-based buffer overflow in the nss_dns implementation of the getnetbyname | |
| function in GNU C Library (aka glibc) before 2.24 allows context-dependent | |
| attackers to cause a denial of service (stack consumption and application crash) | |
| via a long name. | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Fixed version: 2.19-18+deb8u5 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-3075 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2015-7575 (Medium) | |
| Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla | |
| Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject | |
| MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol | |
| traffic, which makes it easier for man-in-the-middle attackers to spoof servers | |
| by triggering a collision. | |
| Package: nss @ 2:3.17.2-1.1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-7575 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-3119 (Low) | |
| The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | |
| in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 | |
| and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote | |
| authenticated users to cause a denial of service (NULL pointer dereference and | |
| daemon crash) via a crafted request to modify a principal. | |
| Package: krb5 @ 1.12.1+dfsg-19+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-3119 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2015-5180 (Low) | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-5180 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2016-7098 (Low) | |
| Package: wget @ 1.16-1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-7098 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-2178 (Low) | |
| The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h | |
| does not properly ensure the use of constant-time operations, which makes it | |
| easier for local users to discover a DSA private key via a timing side-channel | |
| attack. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2178 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-2177 (Low) | |
| OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer | |
| boundary checks, which might allow remote attackers to cause a denial of | |
| service (integer overflow and application crash) or possibly have unspecified | |
| other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, | |
| ssl_sess.c, and t1_lib.c. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2177 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-3189 (Low) | |
| Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote | |
| attackers to cause a denial of service (crash) via a crafted bzip2 file, related | |
| to block ends set to before the start of the block. | |
| Package: bzip2 @ 1.0.6-7 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-3189 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2016-6349 (Negligible) | |
| Package: systemd @ 215-17+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6349 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2006-6719 (Negligible) | |
| The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) GNU wget | |
| 1.10.2 allows remote attackers to cause a denial of service (application crash) | |
| via a malicious FTP server with a large number of blank 220 responses to the | |
| SYST command. | |
| Package: wget @ 1.16-1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2006-6719 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2013-0340 (Negligible) | |
| expat 2.1.0 and earlier does not properly handle entities expansion unless an | |
| application developer uses the XML_SetEntityDeclHandler function, which allows | |
| remote attackers to cause a denial of service (resource consumption), send | |
| HTTP requests to intranet servers, or read arbitrary files via a crafted XML | |
| document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that | |
| because expat already provides the ability to disable external entity expansion, | |
| the responsibility for resolving this issue lies with application developers; | |
| according to this argument, this entry should be REJECTed, and each affected | |
| application would need its own CVE. | |
| Package: expat @ 2.1.0-6+deb8u3 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2013-0340 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-6251 (Negligible) | |
| Package: shadow @ 1:4.2-3+deb8u1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6251 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2013-4235 (Negligible) | |
| Package: shadow @ 1:4.2-3+deb8u1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2013-4235 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2015-5218 (Negligible) | |
| Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 | |
| allows local users to cause a denial of service (crash) via a crafted file, | |
| related to the page global variable. | |
| Package: util-linux @ 2.25.2-6 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-5218 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2010-4051 (Negligible) | |
| The regcomp implementation in the GNU C Library (aka glibc or libc6) through | |
| 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause | |
| a denial of service (application crash) via a regular expression containing | |
| adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, | |
| as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c | |
| exploit for ProFTPD, related to a "RE_DUP_MAX overflow." | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2010-4051 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2015-5377 (Negligible) | |
| Package: elasticsearch @ 2.4.0 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-5377 | |
| Layer: a6cc704a9f105c84c73febcc771730135a1ca3a43f8548697b9b388f480f41b7 | |
| CVE-2007-5686 (Negligible) | |
| initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp | |
| file, which allows local users to obtain sensitive information regarding | |
| authentication attempts. NOTE: because sshd detects the insecure permissions | |
| and does not log certain events, this also prevents sshd from logging failed | |
| authentication attempts by remote attackers. | |
| Package: shadow @ 1:4.2-3+deb8u1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2007-5686 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2005-2541 (Negligible) | |
| Tar 1.15.1 does not properly warn the user when extracting setuid or setgid | |
| files, which may allow local users or remote attackers to gain privileges. | |
| Package: tar @ 1.27.1-2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2005-2541 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2015-3276 (Negligible) | |
| The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does | |
| not properly parse OpenSSL-style multi-keyword mode cipher strings, which might | |
| cause a weaker than intended cipher to be used and allow remote attackers to | |
| have unspecified impact via unknown vectors. | |
| Package: openldap @ 2.4.40+dfsg-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-3276 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-2779 (Negligible) | |
| Package: util-linux @ 2.25.2-6 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-2779 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2007-6755 (Negligible) | |
| The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic | |
| Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with | |
| a possible relationship to certain "skeleton key" values, which might allow | |
| context-dependent attackers to defeat cryptographic protection mechanisms by | |
| leveraging knowledge of those values. NOTE: this is a preliminary CVE for | |
| Dual_EC_DRBG; future research may provide additional details about point Q and | |
| associated attacks, and could potentially lead to a RECAST or REJECT of this | |
| CVE. | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2007-6755 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2016-3739 (Negligible) | |
| The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) | |
| polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl | |
| before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a | |
| numerical IP address, allow remote attackers to spoof servers via an arbitrary | |
| valid certificate. | |
| Package: curl @ 7.38.0-4+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-3739 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2010-4052 (Negligible) | |
| Stack consumption vulnerability in the regcomp implementation in the GNU C | |
| Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows | |
| context-dependent attackers to cause a denial of service (resource exhaustion) | |
| via a regular expression containing adjacent repetition operators, as | |
| demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for | |
| ProFTPD. | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2010-4052 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2015-4165 (Negligible) | |
| Package: elasticsearch @ 2.4.0 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-4165 | |
| Layer: a6cc704a9f105c84c73febcc771730135a1ca3a43f8548697b9b388f480f41b7 | |
| CVE-2015-5224 (Negligible) | |
| Package: util-linux @ 2.25.2-6 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-5224 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2010-4756 (Negligible) | |
| The glob implementation in the GNU C Library (aka glibc or libc6) allows remote | |
| authenticated users to cause a denial of service (CPU and memory consumption) | |
| via crafted glob expressions that do not match any pathnames, as demonstrated | |
| by glob expressions in STAT commands to an FTP daemon, a different vulnerability | |
| than CVE-2010-2632. | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2010-4756 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2016-6323 (Negligible) | |
| Package: glibc @ 2.19-18+deb8u4 | |
| Fixed version: 2.19-18+deb8u6 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6323 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2013-4392 (Negligible) | |
| systemd, when updating file permissions, allows local users to change the | |
| permissions and SELinux security contexts for arbitrary files via a symlink | |
| attack on unspecified files. | |
| Package: systemd @ 215-17+deb8u4 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2013-4392 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2014-8166 (Negligible) | |
| Package: cups @ 1.7.5-11+deb8u1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2014-8166 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2015-5186 (Negligible) | |
| Package: audit @ 1:2.4-1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2015-5186 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2011-3374 (Negligible) | |
| Package: apt @ 1.0.9.8.3 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2011-3374 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2016-3616 (Negligible) | |
| Package: libjpeg-turbo @ 1:1.3.1-12 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-3616 | |
| Layer: 10ecb44384d336384d58f30b0ed98a87a465688370399a871d18c74b9fcc5c71 | |
| CVE-2016-6252 (Negligible) | |
| Package: shadow @ 1:4.2-3+deb8u1 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2016-6252 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2010-0928 (Negligible) | |
| OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro | |
| FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature | |
| calculations, and does not verify the signature before providing it to a caller, | |
| which makes it easier for physically proximate attackers to determine the | |
| private key via a modified supply voltage for the microprocessor, related to a | |
| "fault-based attack." | |
| Package: openssl @ 1.0.1t-1+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2010-0928 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2011-4116 (Negligible) | |
| Package: perl @ 5.20.2-3+deb8u6 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2011-4116 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| CVE-2004-0971 (Negligible) | |
| The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux | |
| 1.5 through 2.1, and possibly other operating systems, allows local users to | |
| overwrite files via a symlink attack on temporary files. | |
| Package: krb5 @ 1.12.1+dfsg-19+deb8u2 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2004-0971 | |
| Layer: 027993a3b5cffd6272f0891e62c8aa2a24c5955c09a56098174234d8452b425d | |
| CVE-2012-3878 (Negligible) | |
| Package: perl @ 5.20.2-3+deb8u6 | |
| Link: https://security-tracker.debian.org/tracker/CVE-2012-3878 | |
| Layer: 2c0a4e60a7ab30a735c92fbb5310e9477956192bbb065b34a7fcb8e169b0987d | |
| bjozsa@megatron ~ ❯❯❯ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment