[Snyk] Security upgrade python from 3.11.8-slim-bookworm to 3.12.4-slim-bookworm

[rubenfiszel]

Snyk has created this PR to fix 4 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile

We recommend upgrading to python:3.12.4-slim-bookworm, as this image has only 47 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-DEBIAN12-SYSTEMD-6277507	614
	Allocation of Resources Without Limits or Throttling SNYK-DEBIAN12-SYSTEMD-6277507	614
	Improper Check for Unusual or Exceptional Conditions SNYK-DEBIAN12-OPENSSL-6048820	514
	Out-of-bounds Write SNYK-DEBIAN12-OPENSSL-6148845	514
	CVE-2024-0727 SNYK-DEBIAN12-OPENSSL-6190223	514

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

---

🚀	This description was created by Ellipsis for commit 5905c9b

Summary:

Update Dockerfile to use python:3.12.4-slim-bookworm to address security vulnerabilities.

Key points:

• Update Dockerfile to use python:3.12.4-slim-bookworm instead of python:3.11.8-slim-bookworm.
• Addresses 4 security vulnerabilities related to system resource allocation and OpenSSL.
• Ensures the Docker base image benefits from the latest security fixes.

---

Generated with ❤️ by ellipsis.dev

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	43ce5fa
Status:	✅  Deploy successful!
Preview URL:	https://bad13f7a.windmill.pages.dev
Branch Preview URL:	https://snyk-fix-c64e00b3b9a5bc5dc32.windmill.pages.dev

View logs

[ellipsis-dev]

👍 Looks good to me! Reviewed everything up to 5905c9b in 27 seconds

More details

• Looked at 13 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 1 drafted comments based on config settings.

1. Dockerfile:3

• Draft comment:
  The update of the Python image from 3.11.8-slim-bookworm to 3.12.4-slim-bookworm is appropriate to address the security vulnerabilities listed. Ensure that the application's compatibility with Python 3.12.4 is tested, as minor version updates can sometimes introduce breaking changes or deprecations that could affect the application.
• Reason this comment was not posted:
  Confidence changes required: 0%
  The PR is intended to update the Python base image from version 3.11.8 to 3.12.4 to address security vulnerabilities. The change is straightforward and involves updating the version number in the Dockerfile. This is a typical and necessary update to keep the software dependencies secure and up-to-date. The PR description provided by Snyk outlines the vulnerabilities that are addressed by this update, which includes high and medium severity issues related to systemd and OpenSSL. The change does not appear to introduce any new issues or conflicts with existing configurations in the Dockerfile.

Workflow ID: wflow_Ft2LeGvCeSUx3FOu

---

You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.

[github-actions]

🔍 Vulnerabilities of ghcr.io/windmill-labs/windmill-ee:main

📦 Image Reference ghcr.io/windmill-labs/windmill-ee:main

digest	sha256:8afa72a699ab39ef602492f7d5098f709522fec7c8c12cb714a719593a5c359b
vulnerabilities
size	877 MB
packages	1391

📦 Base Image python:3-slim

also known as	3-slim-bookworm 3.12-slim 3.12-slim-bookworm 3.12.4-slim 3.12.4-slim-bookworm f39f4938a5a26dff4dbbc84fdc78ff754be2c16d9ac9174647b1c97a007831f7 slim slim-bookworm
digest	sha256:a074fac67aa01841fee592d00bae14d25dcaf98ef6e12a683ecceb7e0147e2d1
vulnerabilities

stdlib 1.21.7 (golang) pkg:golang/stdlib@1.21.7 # Dockerfile (111:117) RUN if [ "$WITH_HELM" = "true" ]; then \ arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \ wget "https://get.helm.sh/helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ tar -zxvf "helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ mv linux-$arch/helm /usr/local/bin/helm &&\ chmod +x /usr/local/bin/helm; \ else echo 'Building the image without helm'; fi Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.06% EPSS Percentile 28th percentile Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Affected range <1.21.12 Fixed version 1.21.12 EPSS Score 0.04% EPSS Percentile 16th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.04% EPSS Percentile 11th percentile Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

git 1:2.39.2-1.1 (deb) pkg:deb/debian/git@1:2.39.2-1.1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (93:95) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.15% EPSS Percentile 52nd percentile Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

github.com/docker/docker 24.0.7+incompatible (golang) pkg:golang/github.com/docker/docker@24.0.7%2Bincompatible # Dockerfile (111:117) RUN if [ "$WITH_HELM" = "true" ]; then \ arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \ wget "https://get.helm.sh/helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ tar -zxvf "helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ mv linux-$arch/helm /usr/local/bin/helm &&\ chmod +x /usr/local/bin/helm; \ else echo 'Building the image without helm'; fi Partial String Comparison Affected range >=24.0.0 <25.0.6 Fixed version 26.1.4 CVSS Score 9.9 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.04% EPSS Percentile 16th percentile Description A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users. Impact Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. Vulnerability details AuthZ bypass and privilege escalation: An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly. Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019.. Regression: The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned CVE-2024-41110. Patches docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. Remediation steps If you are running an affected version, update to the most recent patched version. Mitigation if unable to update immediately: Avoid using AuthZ plugins. Restrict access to the Docker API to trusted parties, following the principle of least privilege. References moby/moby@fc274cd moby/moby@a79fabb https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/

aom 3.6.0-1 (deb) pkg:deb/debian/aom@3.6.0-1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (93:95) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* Affected range >=3.6.0-1 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 26th percentile Description Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.

pillow 9.4.0 (pypi) pkg:pypi/pillow@9.4.0 # Dockerfile (155:155) COPY --from=builder /frontend/build /static_frontend Out-of-bounds Write Affected range <10.0.1 Fixed version 10.0.1 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 64.44% EPSS Percentile 98th percentile Description Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. Improper Control of Generation of Code ('Code Injection') Affected range <10.2.0 Fixed version 10.2.0 CVSS Score 8.1 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.07% EPSS Percentile 33rd percentile Description Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). Uncontrolled Resource Consumption Affected range <10.0.0 Fixed version 10.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.05% EPSS Percentile 23rd percentile Description An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Affected range <10.0.1 Fixed version 10.0.1 Description Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

cryptography 38.0.4 (pypi) pkg:pypi/cryptography@38.0.4 # Dockerfile (93:95) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.04% EPSS Percentile 16th percentile Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.10% EPSS Percentile 41st percentile Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Access of Resource Using Incompatible Type ('Type Confusion') Affected range >=0.8.1 <39.0.1 Fixed version 39.0.1 CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H EPSS Score 0.30% EPSS Percentile 70th percentile Description pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

nodejs 20.16.0-1nodesource1 (deb) pkg:deb/debian/nodejs@20.16.0-1nodesource1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (155:155) COPY --from=builder /frontend/build /static_frontend Affected range >=18.19.0+dfsg-6~deb12u2 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 16th percentile Description An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. Affected range >=18.19.0+dfsg-6~deb12u2 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 16th percentile Description A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

pip 24.0 (pypi) pkg:pypi/pip@24.0 # Dockerfile (80:80) FROM ${PYTHON_IMAGE} OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=0 Fixed version Not Fixed CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.11% EPSS Percentile 45th percentile Description An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number).

System.Data.SqlClient 4.8.5 (nuget) pkg:nuget/System.Data.SqlClient@4.8.5 # Dockerfile (98:109) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Cleartext Transmission of Sensitive Information Affected range <4.8.6 Fixed version 4.8.6 CVSS Score 8.7 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N EPSS Score 0.13% EPSS Percentile 48th percentile Description Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

System.Formats.Asn1 7.0.0 (nuget) pkg:nuget/System.Formats.Asn1@7.0.0 # Dockerfile (98:109) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Improper Input Validation Affected range >=7.0.0-preview.1.22076.8 <8.0.1 Fixed version 8.0.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.06% EPSS Percentile 28th percentile Description Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service. Announcement Announcement for this issue can be found at dotnet/announcements#312 Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. Affected software Any .NET 6.0 application running on .NET 6.0.31 or earlier. Any .NET 8.0 application running on .NET 8.0.6 or earlier. Affected Packages The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below .NET 6 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x86 >=6.0.0, <= 6.0.31 6.0.32 System.Formats.Asn1 >=5.0.0-preview.7.20364.11 6.0.1 .NET 8 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x86 >=8.0.0, <= 8.0.6 8.0.7 System.Formats.Asn1 <=6.0.0, >=7.0.0-preview.1.22076.8 8.0.1 Advisory FAQ How do I know if I am affected? If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability. How do I fix the issue? To fix the issue please install the latest version of .NET 8.0 or .NET 7.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following; .NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0. If you're using .NET 6.0, you should download and install Runtime 6.0.32 or SDK 6.0.132 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/6.0. .NET 6.0 and .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other Information Reporting Security Issues If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External Links CVE-2024-38095 Revisions V1.0 (July 09, 2024): Advisory published. Version 1.0 Last Updated 2024-07-09

System.Formats.Asn1 7.0.823.31807 (nuget) pkg:nuget/System.Formats.Asn1@7.0.823.31807 # Dockerfile (98:109) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Improper Input Validation Affected range >=7.0.0-preview.1.22076.8 <8.0.1 Fixed version 8.0.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.06% EPSS Percentile 28th percentile Description Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service. Announcement Announcement for this issue can be found at dotnet/announcements#312 Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. Affected software Any .NET 6.0 application running on .NET 6.0.31 or earlier. Any .NET 8.0 application running on .NET 8.0.6 or earlier. Affected Packages The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below .NET 6 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x86 >=6.0.0, <= 6.0.31 6.0.32 System.Formats.Asn1 >=5.0.0-preview.7.20364.11 6.0.1 .NET 8 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x86 >=8.0.0, <= 8.0.6 8.0.7 System.Formats.Asn1 <=6.0.0, >=7.0.0-preview.1.22076.8 8.0.1 Advisory FAQ How do I know if I am affected? If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability. How do I fix the issue? To fix the issue please install the latest version of .NET 8.0 or .NET 7.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following; .NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0. If you're using .NET 6.0, you should download and install Runtime 6.0.32 or SDK 6.0.132 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/6.0. .NET 6.0 and .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other Information Reporting Security Issues If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External Links CVE-2024-38095 Revisions V1.0 (July 09, 2024): Advisory published. Version 1.0 Last Updated 2024-07-09

System.Text.Json 7.0.823.31807 (nuget) pkg:nuget/System.Text.Json@7.0.823.31807 # Dockerfile (98:109) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Uncontrolled Resource Consumption Affected range >=7.0.0 <8.0.4 Fixed version 8.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.06% EPSS Percentile 28th percentile Description Microsoft Security Advisory CVE-2024-30105 | .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service. Discussion Discussion for this issue can be found at dotnet/runtime#104619 Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. Affected software Any .NET 8.0 application running on .NET 8.0.6 or earlier. Affected Packages The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below .NET 8 Package name Affected version Patched version System.Text.Json >= 7.0.0, < =8.0.3 8.0.4 Advisory FAQ How do I know if I am affected? If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability. How do I fix the issue? To fix the issue please install the latest version of .NET 8.0 . If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following; .NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0. .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other Information Reporting Security Issues If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External Links CVE-2024-30105 Revisions V1.0 (July 09, 2024): Advisory published. Version 1.0 Last Updated 2024-07-09

setuptools 66.1.1-1 (deb) pkg:deb/debian/setuptools@66.1.1-1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (93:95) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* Affected range >=66.1.1-1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 9th percentile Description A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.