-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Security upgrade python from 3.11.8-slim-bookworm to 3.12.4-slim-bookworm #4224
base: main
Are you sure you want to change the base?
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN12-SYSTEMD-6277507 - https://snyk.io/vuln/SNYK-DEBIAN12-SYSTEMD-6277507 - https://snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-6048820 - https://snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-6148845 - https://snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-6190223
Deploying windmill with Cloudflare Pages
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Looks good to me! Reviewed everything up to 5905c9b in 27 seconds
More details
- Looked at
13
lines of code in1
files - Skipped
0
files when reviewing. - Skipped posting
1
drafted comments based on config settings.
1. Dockerfile:3
- Draft comment:
The update of the Python image from3.11.8-slim-bookworm
to3.12.4-slim-bookworm
is appropriate to address the security vulnerabilities listed. Ensure that the application's compatibility with Python 3.12.4 is tested, as minor version updates can sometimes introduce breaking changes or deprecations that could affect the application. - Reason this comment was not posted:
Confidence changes required:0%
The PR is intended to update the Python base image from version 3.11.8 to 3.12.4 to address security vulnerabilities. The change is straightforward and involves updating the version number in the Dockerfile. This is a typical and necessary update to keep the software dependencies secure and up-to-date. The PR description provided by Snyk outlines the vulnerabilities that are addressed by this update, which includes high and medium severity issues related to systemd and OpenSSL. The change does not appear to introduce any new issues or conflicts with existing configurations in the Dockerfile.
Workflow ID: wflow_Ft2LeGvCeSUx3FOu
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet
mode, and more.
🔍 Vulnerabilities of
|
digest | sha256:8afa72a699ab39ef602492f7d5098f709522fec7c8c12cb714a719593a5c359b |
vulnerabilities | |
size | 877 MB |
packages | 1391 |
📦 Base Image python:3-slim
stdlib
|
Affected range | <1.21.11 |
Fixed version | 1.21.11 |
EPSS Score | 0.06% |
EPSS Percentile | 28th percentile |
Description
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
Affected range | <1.21.12 |
Fixed version | 1.21.12 |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.
An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Affected range | <1.21.8 |
Fixed version | 1.21.8 |
EPSS Score | 0.04% |
EPSS Percentile | 11th percentile |
Description
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
git 1:2.39.2-1.1
(deb)
pkg:deb/debian/git@1:2.39.2-1.1?os_distro=bookworm&os_name=debian&os_version=12
# Dockerfile (93:95)
RUN apt-get update \
&& apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \
&& rm -rf /var/lib/apt/lists/*
Affected range | >=1:2.39.2-1.1 |
Fixed version | Not Fixed |
EPSS Score | 0.15% |
EPSS Percentile | 52nd percentile |
Description
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a
.git/
directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. viagit config --global core.symlinks false
), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
Affected range | >=1:2.39.2-1.1 |
Fixed version | Not Fixed |
EPSS Score | 0.04% |
EPSS Percentile | 11th percentile |
Description
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
Affected range | >=1:2.39.2-1.1 |
Fixed version | Not Fixed |
EPSS Score | 0.04% |
EPSS Percentile | 11th percentile |
Description
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with
git clone --no-local
to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a.zip
file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.
github.com/docker/docker 24.0.7+incompatible
(golang)
pkg:golang/github.com/docker/docker@24.0.7%2Bincompatible
# Dockerfile (111:117)
RUN if [ "$WITH_HELM" = "true" ]; then \
arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
wget "https://get.helm.sh/helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \
tar -zxvf "helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \
mv linux-$arch/helm /usr/local/bin/helm &&\
chmod +x /usr/local/bin/helm; \
else echo 'Building the image without helm'; fi
Affected range | >=24.0.0 |
Fixed version | 26.1.4 |
CVSS Score | 9.9 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.
Impact
Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
Vulnerability details
- AuthZ bypass and privilege escalation: An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.
- Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019..
- Regression: The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned CVE-2024-41110.
Patches
- docker-ce v27.1.1 containes patches to fix the vulnerability.
- Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches.
Remediation steps
- If you are running an affected version, update to the most recent patched version.
- Mitigation if unable to update immediately:
- Avoid using AuthZ plugins.
- Restrict access to the Docker API to trusted parties, following the principle of least privilege.
References
aom 3.6.0-1
(deb)
pkg:deb/debian/aom@3.6.0-1?os_distro=bookworm&os_name=debian&os_version=12
# Dockerfile (93:95)
RUN apt-get update \
&& apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \
&& rm -rf /var/lib/apt/lists/*
Affected range | >=3.6.0-1 |
Fixed version | Not Fixed |
EPSS Score | 0.06% |
EPSS Percentile | 26th percentile |
Description
Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
pillow 9.4.0
(pypi)
pkg:pypi/pillow@9.4.0
# Dockerfile (155:155)
COPY --from=builder /frontend/build /static_frontend
Affected range | <10.0.1 |
Fixed version | 10.0.1 |
CVSS Score | 8.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
EPSS Score | 64.44% |
EPSS Percentile | 98th percentile |
Description
Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Improper Control of Generation of Code ('Code Injection')
Affected range | <10.2.0 |
Fixed version | 10.2.0 |
CVSS Score | 8.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
EPSS Score | 0.07% |
EPSS Percentile | 33rd percentile |
Description
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Uncontrolled Resource Consumption
Affected range | <10.0.0 |
Fixed version | 10.0.0 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.05% |
EPSS Percentile | 23rd percentile |
Description
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Affected range | <10.0.1 |
Fixed version | 10.0.1 |
Description
Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.
cryptography 38.0.4
(pypi)
pkg:pypi/cryptography@38.0.4
# Dockerfile (93:95)
RUN apt-get update \
&& apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \
&& rm -rf /var/lib/apt/lists/*
Affected range | >=38.0.0 |
Fixed version | 42.0.4 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
If
pkcs12.serialize_key_and_certificates
is called with both:
- A certificate whose public key did not match the provided private key
- An
encryption_algorithm
withhmac_hash
set (viaPrivateFormat.PKCS12.encryption_builder().hmac_hash(...)
Then a NULL pointer dereference would occur, crashing the Python process.
This has been resolved, and now a
ValueError
is properly raised.Patched in pyca/cryptography#10423
Affected range | <42.0.0 |
Fixed version | 42.0.0 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
EPSS Score | 0.10% |
EPSS Percentile | 41st percentile |
Description
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Access of Resource Using Incompatible Type ('Type Confusion')
Affected range | >=0.8.1 |
Fixed version | 39.0.1 |
CVSS Score | 7.4 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H |
EPSS Score | 0.30% |
EPSS Percentile | 70th percentile |
Description
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
nodejs 20.16.0-1nodesource1
(deb)
pkg:deb/debian/nodejs@20.16.0-1nodesource1?os_distro=bookworm&os_name=debian&os_version=12
# Dockerfile (155:155)
COPY --from=builder /frontend/build /static_frontend
Affected range | >=18.19.0+dfsg-6~deb12u2 |
Fixed version | Not Fixed |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Affected range | >=18.19.0+dfsg-6~deb12u2 |
Fixed version | Not Fixed |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
pip 24.0
(pypi)
pkg:pypi/pip@24.0
# Dockerfile (80:80)
FROM ${PYTHON_IMAGE}
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | >=0 |
Fixed version | Not Fixed |
CVSS Score | 7.8 |
CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
EPSS Score | 0.11% |
EPSS Percentile | 45th percentile |
Description
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the
--extra-index-url
option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number).
System.Data.SqlClient 4.8.5
(nuget)
pkg:nuget/System.Data.SqlClient@4.8.5
# Dockerfile (98:109)
RUN if [ "$WITH_POWERSHELL" = "true" ]; then \
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \
dpkg --install 'pwsh.deb' && \
rm 'pwsh.deb'; \
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \
mkdir -p /opt/microsoft/powershell/7 && \
tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \
chmod +x /opt/microsoft/powershell/7/pwsh && \
ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
rm powershell.tar.gz; \
else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \
else echo 'Building the image without powershell'; fi
Cleartext Transmission of Sensitive Information
Affected range | <4.8.6 |
Fixed version | 4.8.6 |
CVSS Score | 8.7 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
EPSS Score | 0.13% |
EPSS Percentile | 48th percentile |
Description
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
System.Formats.Asn1 7.0.0
(nuget)
pkg:nuget/System.Formats.Asn1@7.0.0
# Dockerfile (98:109)
RUN if [ "$WITH_POWERSHELL" = "true" ]; then \
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \
dpkg --install 'pwsh.deb' && \
rm 'pwsh.deb'; \
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \
mkdir -p /opt/microsoft/powershell/7 && \
tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \
chmod +x /opt/microsoft/powershell/7/pwsh && \
ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
rm powershell.tar.gz; \
else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \
else echo 'Building the image without powershell'; fi
Affected range | >=7.0.0-preview.1.22076.8 |
Fixed version | 8.0.1 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.06% |
EPSS Percentile | 28th percentile |
Description
Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service.
Announcement
Announcement for this issue can be found at dotnet/announcements#312
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
- Any .NET 6.0 application running on .NET 6.0.31 or earlier.
- Any .NET 8.0 application running on .NET 8.0.6 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
.NET 6
Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x86 >=6.0.0, <= 6.0.31 6.0.32 System.Formats.Asn1 >=5.0.0-preview.7.20364.11 6.0.1 .NET 8
Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x86 >=8.0.0, <= 8.0.6 8.0.7 System.Formats.Asn1 <=6.0.0, >=7.0.0-preview.1.22076.8 8.0.1 Advisory FAQ
How do I know if I am affected?
If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 8.0 or .NET 7.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
- If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the
dotnet --info
command. You will see output like the following;.NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download
- If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0.
- If you're using .NET 6.0, you should download and install Runtime 6.0.32 or SDK 6.0.132 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
.NET 6.0 and .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Revisions
V1.0 (July 09, 2024): Advisory published.
Version 1.0
Last Updated 2024-07-09
System.Formats.Asn1 7.0.823.31807
(nuget)
pkg:nuget/System.Formats.Asn1@7.0.823.31807
# Dockerfile (98:109)
RUN if [ "$WITH_POWERSHELL" = "true" ]; then \
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \
dpkg --install 'pwsh.deb' && \
rm 'pwsh.deb'; \
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \
mkdir -p /opt/microsoft/powershell/7 && \
tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \
chmod +x /opt/microsoft/powershell/7/pwsh && \
ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
rm powershell.tar.gz; \
else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \
else echo 'Building the image without powershell'; fi
Affected range | >=7.0.0-preview.1.22076.8 |
Fixed version | 8.0.1 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.06% |
EPSS Percentile | 28th percentile |
Description
Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service.
Announcement
Announcement for this issue can be found at dotnet/announcements#312
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
- Any .NET 6.0 application running on .NET 6.0.31 or earlier.
- Any .NET 8.0 application running on .NET 8.0.6 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
.NET 6
Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x86 >=6.0.0, <= 6.0.31 6.0.32 System.Formats.Asn1 >=5.0.0-preview.7.20364.11 6.0.1 .NET 8
Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x86 >=8.0.0, <= 8.0.6 8.0.7 System.Formats.Asn1 <=6.0.0, >=7.0.0-preview.1.22076.8 8.0.1 Advisory FAQ
How do I know if I am affected?
If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 8.0 or .NET 7.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
- If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the
dotnet --info
command. You will see output like the following;.NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download
- If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0.
- If you're using .NET 6.0, you should download and install Runtime 6.0.32 or SDK 6.0.132 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
.NET 6.0 and .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Revisions
V1.0 (July 09, 2024): Advisory published.
Version 1.0
Last Updated 2024-07-09
System.Text.Json 7.0.823.31807
(nuget)
pkg:nuget/System.Text.Json@7.0.823.31807
# Dockerfile (98:109)
RUN if [ "$WITH_POWERSHELL" = "true" ]; then \
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \
dpkg --install 'pwsh.deb' && \
rm 'pwsh.deb'; \
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \
mkdir -p /opt/microsoft/powershell/7 && \
tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \
chmod +x /opt/microsoft/powershell/7/pwsh && \
ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \
rm powershell.tar.gz; \
else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \
else echo 'Building the image without powershell'; fi
Uncontrolled Resource Consumption
Affected range | >=7.0.0 |
Fixed version | 8.0.4 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.06% |
EPSS Percentile | 28th percentile |
Description
Microsoft Security Advisory CVE-2024-30105 | .NET Denial of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service.
Discussion
Discussion for this issue can be found at dotnet/runtime#104619
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
- Any .NET 8.0 application running on .NET 8.0.6 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
.NET 8
Package name Affected version Patched version System.Text.Json >= 7.0.0, < =8.0.3 8.0.4 Advisory FAQ
How do I know if I am affected?
If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 8.0 . If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
- If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the
dotnet --info
command. You will see output like the following;.NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download
- If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0.
.NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Revisions
V1.0 (July 09, 2024): Advisory published.
Version 1.0
Last Updated 2024-07-09
setuptools 66.1.1-1
(deb)
pkg:deb/debian/setuptools@66.1.1-1?os_distro=bookworm&os_name=debian&os_version=12
# Dockerfile (93:95)
RUN apt-get update \
&& apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \
&& rm -rf /var/lib/apt/lists/*
Affected range | >=66.1.1-1 |
Fixed version | Not Fixed |
EPSS Score | 0.04% |
EPSS Percentile | 9th percentile |
Description
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
413dad5
to
ad69876
Compare
9a08368
to
779a788
Compare
e80f43d
to
9c506a8
Compare
ec6b974
to
8e0eb3d
Compare
c7e985c
to
8867260
Compare
Snyk has created this PR to fix 4 vulnerabilities in the dockerfile dependencies of this project.
Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.
Snyk changed the following file(s):
Dockerfile
We recommend upgrading to
python:3.12.4-slim-bookworm
, as this image has only 47 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.Vulnerabilities that will be fixed with an upgrade:
SNYK-DEBIAN12-SYSTEMD-6277507
SNYK-DEBIAN12-SYSTEMD-6277507
SNYK-DEBIAN12-OPENSSL-6048820
SNYK-DEBIAN12-OPENSSL-6148845
SNYK-DEBIAN12-OPENSSL-6190223
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling
Summary:
Update
Dockerfile
to usepython:3.12.4-slim-bookworm
to address security vulnerabilities.Key points:
Dockerfile
to usepython:3.12.4-slim-bookworm
instead ofpython:3.11.8-slim-bookworm
.Generated with ❤️ by ellipsis.dev