You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/08/05 14:34:34 UTC
[GitHub] [superset] JayaniH opened a new issue, #20994: Vulnerabilities in the superset image
JayaniH opened a new issue, #20994:
URL: https://github.com/apache/superset/issues/20994
We are hoping to deploy Apache Superset for a data visualization task, and we carried out a Trivy scan (https://github.com/aquasecurity/trivy) of the superset image prior to the deployment which detected a significant number of vulnerabilities.
> **apache/superset:2.0.0 (debian 11.2) (Digest sha256:ca32ff641daca7447edfe78345e1abbc3b278895b1d4a245e69e28020e3310b7)**
> Total: 879 (MEDIUM: 384, HIGH: 428, CRITICAL: 67)
>
> **Python**
> Total: 4 (MEDIUM: 0, HIGH: 2, CRITICAL: 2)
The latest image of superset has less number of vulnerabilities.
> **apache/superset:latest (debian 11.4) (Digest sha256:1397d3d4f1c5da406175df6b1529d7c39cb6cab486f6852577dc985a0208f151)**
> Total: 635 (MEDIUM: 250, HIGH: 343, CRITICAL: 42)
>
> **Python**
> Total: 4 (MEDIUM: 1, HIGH: 1, CRITICAL: 2)
1. Can we know when the superset team is planning to do a new release that includes this new Debian version in the image?
2. As the latest image also contain many vulnerabilities and fixed versions have been released for some of these, is it possible to get these packages upgraded as well?
E.g. Curl version 7.74.0-1.3+deb11u1 in the image has been detected as vulnerable. There is a fixed version 7.74.0-1.3+deb11u2.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] qwerty1q2w commented on issue #20994: Vulnerabilities in the superset image
Posted by "qwerty1q2w (via GitHub)" <gi...@apache.org>.
qwerty1q2w commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1415764242
trivy image apache/superset:2.0.1 --security-checks vuln
Total: 1754 (UNKNOWN: 7, LOW: 606, MEDIUM: 523, HIGH: 549, CRITICAL: 69)
Python (python-pkg)
===================
Total: 11 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 8, CRITICAL: 2)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] qwerty1q2w commented on issue #20994: Vulnerabilities in the superset image
Posted by "qwerty1q2w (via GitHub)" <gi...@apache.org>.
qwerty1q2w commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1415515373
<h3>Vulnerabilities.</h3>
<div>
Cve | Package | Cvss | Title | Description
-- | -- | -- | -- | --
CVE-2022-0204 | libbluetooth-dev libbluetooth3 | 8.8 | bluez: heap-based buffer overflow in the implementation of the gatt protocol | A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.
CVE-2021-43400 | libbluetooth-dev libbluetooth3 | 9.1 | bluez: use-after-free in gatt-database.c | An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.
CVE-2022-3649 | linux-libc-dev | 9.8 | kernel: nilfs2: use-after-free in nilfs_new_inode of fs/nilfs2/inode.c | A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.
CVE-2020-26560 | libbluetooth-dev libbluetooth3 | 8.1 | kernel: impersonation attack in Bluetooth Mesh Provisioning | Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.
CVE-2022-41903 | git git-man | 9.8 | Git is distributed revision control system. `git log` can display comm ... | Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has
been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
CVE-2022-40674 | libexpat1 libexpat1-dev | 9.8 | expat: a use-after-free in the doContent function in xmlparse.c | libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
CVE-2022-23218 | libc-bin libc-dev-bin libc6 libc6-dev | 9.8 | glibc: Stack-based buffer overflow in svcunix_create via long pathnames | The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2021-33574 | libc-bin libc-dev-bin libc6 libc6-dev | 9.8 | glibc: mq_notify does not handle separately allocated thread attributes | The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVE-2021-22945 | curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev | 9.1 | curl: use-after-free and double-free in MQTT sending | When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.
CVE-2022-23219 | libc-bin libc-dev-bin libc6 libc6-dev | 9.8 | glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname | The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-44638 | libpixman-1-0 libpixman-1-dev | 8.8 | pixman: Integer overflow in pixman_sample_floor_y leading to heap out-of-bounds write | In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
CVE-2022-1253 | libde265-0 | 9.8 | Heap-based Buffer Overflow in GitHub repository strukturag/libde265 pr ... | Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.
CVE-2022-32207 | curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev | 9.8 | curl: Unpreserved file permissions | When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
CVE-2022-32221 | curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev | 9.8 | curl: POST following PUT confusion | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVE-2022-22576 | curl libcurl3-gnutls libcurl4 libcurl4-openssl-dev | 8.1 | curl: OAUTH2 bearer bypass in connection re-use | An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
CVE-2022-41674 | linux-libc-dev | 8.1 | kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans() | An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.
CVE-2022-0435 | linux-libc-dev | 8.8 | kernel: remote stack overflow via kernel panic on systems using TIPC may lead to DoS | A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.
CVE-2022-47629 | libksba8 | 9.8 | libksba: integer overflow to code execution | Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.
CVE-2022-42896 | linux-libc-dev | 8.8 | kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c | There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url
CVE-2022-42719 | linux-libc-dev | 8.8 | kernel: A use-after-free problem observed in multi-BSSID element when parsing | A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.
CVE-2019-8457 | libdb5.3 libdb5.3-dev | 9.8 | sqlite: heap out-of-bound read in function rtreenode() | SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
CVE-2021-30560 | libxslt1-dev libxslt1.1 | 8.8 | Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 a ... | Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2022-1292 | libssl-dev libssl1.1 openssl | 9.8 | openssl: c_rehash script allows command injection | The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
CVE-2021-46848 | libtasn1-6 | 9.1 | libtasn1: Out-of-bound access in ETYPE_OK | GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVE-2022-2068 | libssl-dev libssl1.1 openssl | 9.8 | openssl: the c_rehash script allows command injection | In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). F
ixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
CVE-2022-3970 | libtiff-dev libtiff5 libtiffxx5 | 8.8 | libtiff: integer overflow in function TIFFReadRGBATileExt of the file | A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
CVE-2022-1586 | libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libpcre2-dev libpcre2-posix2 | 9.1 | pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c | An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
CVE-2022-27404 | libfreetype-dev libfreetype6 libfreetype6-dev | 9.8 | FreeType: Buffer overflow in sfnt_init_face | FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.
CVE-2022-29155 | libldap-2.4-2 | 9.8 | openldap: OpenLDAP SQL injection | In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
CVE-2022-3640 | linux-libc-dev | 8.8 | kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c | A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.
CVE-2022-1012 | linux-libc-dev | 8.2 | kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak | A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.
CVE-2022-1587 | libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libpcre2-dev libpcre2-posix2 | 9.1 | pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c | An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
CVE-2022-39260 | git git-man | 8.8 | git: git shell function that splits command arguments can lead to arbitrary heap writes. | Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5
, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
CVE-2022-42898 | krb5-multidev libgssapi-krb5-2 libgssrpc4 libk5crypto3 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libkrb5-3 libkrb5-dev libkrb5support0 | 8.8 | krb5: integer overflow vulnerabilities in PAC parsing | PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
CVE-2020-21598 | libde265-0 | 8.8 | libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ... | libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file.
CVE-2021-44648 | gir1.2-gdkpixbuf-2.0 libgdk-pixbuf-2.0-0 libgdk-pixbuf-2.0-dev libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common | 8.8 | gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data | GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
CVE-2020-36131 | libaom0 | 8.8 | AOM v2.0.1 was discovered to contain a stack buffer overflow via the c ... | AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.
CVE-2020-26559 | libbluetooth-dev libbluetooth3 | 8.8 | kernel: Authvalue leak in Bluetooth Mesh Provisioning | Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.
CVE-2022-37434 | zlib1g zlib1g-dev | 9.8 | zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
CVE-2020-36133 | libaom0 | 8.8 | AOM v2.0.1 was discovered to contain a global buffer overflow via the ... | AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.
CVE-2022-39177 | libbluetooth-dev libbluetooth3 | 8.8 | bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c | BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.
CVE-2022-1664 | dpkg dpkg-dev libdpkg-perl | 9.8 | Dpkg::Source::Archive in dpkg, the Debian package management system, b ... | Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
CVE-2022-48281 | libtiff-dev libtiff5 libtiffxx5 | 8.8 | processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has ... | processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image.
CVE-2021-29921 | libpython3.9-minimal libpython3.9-stdlib python3.9 python3.9-minimal | 9.8 | python-ipaddress: Improper input validation of octal strings | In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVE-2022-23521 | git git-man | 9.8 | Git is distributed revision control system. gitattributes are a mechan ... | Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integ
er overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-2196 | linux-libc-dev | 8.8 | kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks | A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
CVE-2022-39176 | libbluetooth-dev libbluetooth3 | 8.8 | bluez: BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len | BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.
CVE-2022-3515 | libksba8 | 9.8 | libksba: integer overflow may lead to remote code execution | A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
CVE-2022-3643 | linux-libc-dev | 10 | Xen Security Advisory 423 v1: Guests can trigger NIC interface reset/abort/crash via netback | Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.
CVE-2021-30475 | libaom0 | 9.8 | aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buf ... | aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow.
CVE-2022-27223 | linux-libc-dev | 8.8 | kernel: In drivers/usb/gadget/udc/udc-xilinx.c the endpoint index is not validated | In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.
CVE-2021-30473 | libaom0 | 9.8 | aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that i ... | aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2022-1271 | gzip liblzma-dev liblzma5 xz-utils | 8.8 | gzip: arbitrary-file-write vulnerability | An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
CVE-2022-3565 | linux-libc-dev | 8 | kernel: use-after-free in l1oip timer handlers | A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.
CVE-2021-30474 | libaom0 | 9.8 | aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use ... | aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free.
</div><br>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] qwerty1q2w commented on issue #20994: Vulnerabilities in the superset image
Posted by "qwerty1q2w (via GitHub)" <gi...@apache.org>.
qwerty1q2w commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1415495463
+1 I think a lot of people use superset to analyze critical data. Can you prepare an image without vulnerabilities?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] aleks-liu commented on issue #20994: Vulnerabilities in the superset image
Posted by "aleks-liu (via GitHub)" <gi...@apache.org>.
aleks-liu commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1415828546
+1
please pay attention on vulnerabilities in this image.
Thank you in advance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] Vulnerabilities in the superset image [superset]
Posted by "sfirke (via GitHub)" <gi...@apache.org>.
sfirke commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1930210463
I don't think this specific bug report is actionable as it stands. Superset version 2.0.1 has passed end of life support.
If people have ideas for how to improve Superset by changing the Python versions or dependencies it depends on, I encourage them to get involved:
- Short-term, you could send your suggestion to security@superset.apache.org, or email the Apache Superset Dev list with your idea and try to start a discussion there. It could become a Superset Improvement Proposal, if appropriate.
- Longer-term, you could also attend a Superset Town Hall meeting (typically once a month on Fridays, see the community calendar) and raise it for discussion there. And, with some contributions and trust built up, even join the security working group -- I believe they are often looking for new members.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] qwerty1q2w commented on issue #20994: Vulnerabilities in the superset image
Posted by "qwerty1q2w (via GitHub)" <gi...@apache.org>.
qwerty1q2w commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1424026443
@mdeshmu Hi! Thanks! Can you use images like https://hub.docker.com/r/bitnami/python/ or build such images yourself or use [distroless](https://github.com/GoogleContainerTools/distroless) images?
https://hub.docker.com/r/bitnami/minideb/
https://github.com/bitnami/minideb - The images are built daily and have the security release enabled, so will contain any security updates released more than 24 hours ago.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] ivanshamaev commented on issue #20994: Vulnerabilities in the superset image
Posted by "ivanshamaev (via GitHub)" <gi...@apache.org>.
ivanshamaev commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1418943280
+1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] mdeshmu commented on issue #20994: Vulnerabilities in the superset image
Posted by "mdeshmu (via GitHub)" <gi...@apache.org>.
mdeshmu commented on issue #20994:
URL: https://github.com/apache/superset/issues/20994#issuecomment-1423894471
@qwerty1q2w
can you check vulnerabilities in **master-py39** image and share the results.
docker pull apache/superset:master-py39
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [I] Vulnerabilities in the superset image [superset]
Posted by "sfirke (via GitHub)" <gi...@apache.org>.
sfirke closed issue #20994: Vulnerabilities in the superset image
URL: https://github.com/apache/superset/issues/20994
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org