merge to main

[nam20485]

No description provided.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA e4aaeae.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Manifest Files

[github-actions]

🔍 Vulnerabilities of nam20485/odbdesign:pr-195

📦 Image Reference nam20485/odbdesign:pr-195

digest	sha256:95b3850640a69b5a57573ab9fff807c8cf0d4ef5b42f9cf65bf1ff3fdfb3d516
vulnerabilities
platform	linux/amd64
size	40 MB
packages	126

📦 Base Image debian:12-slim

also known as	12.4-slim bookworm-20240110-slim bookworm-slim
digest	sha256:d6a343a9b7faf367bd975cadb5c9af51874a8ecf1a2b2baa96877d578ac96722
vulnerabilities

gnutls28 3.7.9-2+deb12u1 (deb) pkg:deb/debian/[email protected]+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <3.7.9-2+deb12u2 Fixed version 3.7.9-2+deb12u2 Description A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack. Affected range <3.7.9-2+deb12u2 Fixed version 3.7.9-2+deb12u2 Description A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

systemd 252.19-1~deb12u1 (deb) pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range <252.21-1~deb12u1 Fixed version 252.21-1~deb12u1 Description A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

glibc 2.36-9+deb12u3 (deb) pkg:deb/debian/[email protected]+deb12u3?os_distro=bookworm&os_name=debian&os_version=12 Affected range <2.36-9+deb12u4 Fixed version 2.36-9+deb12u4 Description An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer. Affected range <2.36-9+deb12u4 Fixed version 2.36-9+deb12u4 Description An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer. Affected range <2.36-9+deb12u4 Fixed version 2.36-9+deb12u4 Description A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

perl 5.36.0-7+deb12u1 (deb) pkg:deb/debian/[email protected]+deb12u1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Affected range >=5.36.0-7+deb12u1 Fixed version Not Fixed Description _is_safe in the File::Temp module for Perl does not properly handle symlinks.

shadow 1:4.13+dfsg1-1 (deb) pkg:deb/debian/shadow@1:4.13+dfsg1-1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1:4.13+dfsg1-1 Fixed version Not Fixed Description shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). Affected range >=1:4.13+dfsg1-1 Fixed version Not Fixed Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

tar 1.34+dfsg-1.2 (deb) pkg:deb/debian/[email protected]+dfsg-1.2?os_distro=bookworm&os_name=debian&os_version=12 Affected range <1.34+dfsg-1.2+deb12u1 Fixed version 1.34+dfsg-1.2+deb12u1 Description GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. Affected range <1.34+dfsg-1.2+deb12u1 Fixed version 1.34+dfsg-1.2+deb12u1 Description

util-linux 2.38.1-5 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

gnupg2 2.2.40-1.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.2.40-1.1 Fixed version Not Fixed Description GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

apt 2.6.1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.6.1 Fixed version Not Fixed Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

gcc-12 12.2.0-14 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=12.2.0-14 Fixed version Not Fixed Description libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

coreutils 9.1-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=9.1-1 Fixed version Not Fixed Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

util-linux 2.38.1-5+b1 (deb) pkg:deb/debian/[email protected]+b1?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=2.38.1-5 Fixed version Not Fixed Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

libgcrypt20 1.10.1-3 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 Affected range >=1.10.1-3 Fixed version Not Fixed Description cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

[github-actions]

Recommended fixes for image nam20485/odbdesign:pr-195

Base image is debian:12-slim

Name	bookworm-20240110-slim
Digest	sha256:d6a343a9b7faf367bd975cadb5c9af51874a8ecf1a2b2baa96877d578ac96722
Vulnerabilities
Pushed	1 month ago
Size	29 MB
Packages	126
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): 12.4-slim, bookworm-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
12-slim Newer image for same tag Also known as: 12.4-slim bookworm-slim bookworm-20240130-slim	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 1 Image contains equal number of packages Tag is using slim variant Image details: Size: 29 MB Flavor: debian OS: 12 Slim: ✅	1 week ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20240130-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 1 Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 29 MB Flavor: debian OS: 11 Slim: ✅	1 week ago
12 Tag is latest Also known as: 12.4 bookworm bookworm-20240130 latest	Benefits: Same OS detected Tag was pushed more recently Tag is latest Image introduces no new vulnerability but removes 1 Image contains equal number of packages Image details: Size: 50 MB Flavor: debian OS: 12	1 week ago

[github-actions]

Overview

Image reference	ghcr.io/nam20485/odbdesign:main-latest	nam20485/odbdesign:pr-195
- digest	244106aba0cd	95b3850640a6
- provenance	f535ea6	a414b5e
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	36 MB	40 MB (+4.3 MB)
- packages	126	126
Base Image	debian:12-slim also known as: • 12.4-slim • bookworm-slim	debian:12-slim also known as: • 12.4-slim • bookworm-slim
- vulnerabilities

Labels (3 changes)

• ± 3 changed
• 6 unchanged

 org.opencontainers.image.authors=https://github.com/nam20485
-org.opencontainers.image.created=2024-02-10T20:02:49.277Z
+org.opencontainers.image.created=2024-02-11T00:55:16.053Z
 org.opencontainers.image.description=A free open source cross-platform C++ library for parsing ODB++ Design archives, accessing their data, and building net list product models. Exposed via a REST API and packaged inside of a Docker image.
 org.opencontainers.image.licenses=MIT
-org.opencontainers.image.revision=f535ea64e41209c390305b772b9abee419bc5fc3
+org.opencontainers.image.revision=a414b5e824f2635b7674efb29d2c180ccf03d81a
 org.opencontainers.image.source=https://github.com/nam20485/OdbDesign
 org.opencontainers.image.title=OdbDesign
 org.opencontainers.image.url=https://github.com/nam20485/OdbDesign
-org.opencontainers.image.version=main-725
+org.opencontainers.image.version=pr-195