�[0KRunning with gitlab-runner 12.8.0 (1b659122)
�[0;m�[0K on pica01-test fyUVS7Hz
�[0;msection_start:1585877670:prepare_executor
�[0K�[0KUsing Docker executor with image registry.picasoft.net/pica-ci-base ...
�[0;m�[0KStarting service docker:19.03.0-dind ...
�[0;m�[0KPulling docker image docker:19.03.0-dind ...
�[0;m�[0KUsing docker image sha256:fd0c64832f7e46b63a180e6000dbba7ad7a63542c5764841cba73429ba74a39e for docker:19.03.0-dind ...
�[0;m�[0KWaiting for services to be up and running...
�[0;m
�[0;33m*** WARNING:�[0;m Service runner-fyUVS7Hz-project-1304-concurrent-0-docker-0 probably didn't start properly.
Health check error:
service "runner-fyUVS7Hz-project-1304-concurrent-0-docker-0-wait-for-service" timeout
Health check container logs:
Service container logs:
2020-04-03T01:34:32.646742761Z time="2020-04-03T01:34:32.645725770Z" level=info msg="Starting up"
2020-04-03T01:34:32.653309290Z time="2020-04-03T01:34:32.653143568Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
2020-04-03T01:34:32.653927843Z time="2020-04-03T01:34:32.653414758Z" level=warning msg="[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]"
2020-04-03T01:34:32.655682653Z time="2020-04-03T01:34:32.655105020Z" level=info msg="libcontainerd: started new containerd process" pid=20
2020-04-03T01:34:32.655695863Z time="2020-04-03T01:34:32.655144913Z" level=info msg="parsed scheme: \"unix\"" module=grpc
2020-04-03T01:34:32.655701452Z time="2020-04-03T01:34:32.655163759Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
2020-04-03T01:34:32.655706443Z time="2020-04-03T01:34:32.655195809Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] }" module=grpc
2020-04-03T01:34:32.655711472Z time="2020-04-03T01:34:32.655207240Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
2020-04-03T01:34:32.655716339Z time="2020-04-03T01:34:32.655270311Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc0008140d0, CONNECTING" module=grpc
2020-04-03T01:34:32.690747891Z time="2020-04-03T01:34:32.690591137Z" level=info msg="starting containerd" revision=894b81a4b802e4eb2a91d1ce216b8817763c29fb version=v1.2.6
2020-04-03T01:34:32.691139410Z time="2020-04-03T01:34:32.691049375Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." type=io.containerd.content.v1
2020-04-03T01:34:32.691268232Z time="2020-04-03T01:34:32.691168287Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." type=io.containerd.snapshotter.v1
2020-04-03T01:34:32.691450913Z time="2020-04-03T01:34:32.691361956Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.btrfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
2020-04-03T01:34:32.691462132Z time="2020-04-03T01:34:32.691393533Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.aufs"..." type=io.containerd.snapshotter.v1
2020-04-03T01:34:32.703797131Z time="2020-04-03T01:34:32.703672078Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.aufs" error="modprobe aufs failed: "ip: can't find device 'aufs'\naufs 274432 0 \nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
2020-04-03T01:34:32.703889152Z time="2020-04-03T01:34:32.703834921Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.native"..." type=io.containerd.snapshotter.v1
2020-04-03T01:34:32.704042721Z time="2020-04-03T01:34:32.703991522Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.overlayfs"..." type=io.containerd.snapshotter.v1
2020-04-03T01:34:32.704439250Z time="2020-04-03T01:34:32.704309072Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
2020-04-03T01:34:32.704739804Z time="2020-04-03T01:34:32.704648323Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.zfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter"
2020-04-03T01:34:32.704823112Z time="2020-04-03T01:34:32.704776268Z" level=info msg="loading plugin "io.containerd.metadata.v1.bolt"..." type=io.containerd.metadata.v1
2020-04-03T01:34:32.705402522Z time="2020-04-03T01:34:32.704917354Z" level=warning msg="could not use snapshotter btrfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
2020-04-03T01:34:32.705961058Z time="2020-04-03T01:34:32.704952780Z" level=warning msg="could not use snapshotter aufs in metadata plugin" error="modprobe aufs failed: "ip: can't find device 'aufs'\naufs 274432 0 \nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
2020-04-03T01:34:32.706054857Z time="2020-04-03T01:34:32.704978051Z" level=warning msg="could not use snapshotter zfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter"
2020-04-03T01:34:32.715964072Z time="2020-04-03T01:34:32.715853052Z" level=info msg="loading plugin "io.containerd.differ.v1.walking"..." type=io.containerd.differ.v1
2020-04-03T01:34:32.716082496Z time="2020-04-03T01:34:32.716020024Z" level=info msg="loading plugin "io.containerd.gc.v1.scheduler"..." type=io.containerd.gc.v1
2020-04-03T01:34:32.716339499Z time="2020-04-03T01:34:32.716278489Z" level=info msg="loading plugin "io.containerd.service.v1.containers-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.716430964Z time="2020-04-03T01:34:32.716366361Z" level=info msg="loading plugin "io.containerd.service.v1.content-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.716526924Z time="2020-04-03T01:34:32.716469886Z" level=info msg="loading plugin "io.containerd.service.v1.diff-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.716652652Z time="2020-04-03T01:34:32.716592139Z" level=info msg="loading plugin "io.containerd.service.v1.images-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.716730052Z time="2020-04-03T01:34:32.716679953Z" level=info msg="loading plugin "io.containerd.service.v1.leases-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.716810328Z time="2020-04-03T01:34:32.716767798Z" level=info msg="loading plugin "io.containerd.service.v1.namespaces-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.716871423Z time="2020-04-03T01:34:32.716834710Z" level=info msg="loading plugin "io.containerd.service.v1.snapshots-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.716945246Z time="2020-04-03T01:34:32.716896098Z" level=info msg="loading plugin "io.containerd.runtime.v1.linux"..." type=io.containerd.runtime.v1
2020-04-03T01:34:32.717231646Z time="2020-04-03T01:34:32.717169119Z" level=info msg="loading plugin "io.containerd.runtime.v2.task"..." type=io.containerd.runtime.v2
2020-04-03T01:34:32.717419920Z time="2020-04-03T01:34:32.717371527Z" level=info msg="loading plugin "io.containerd.monitor.v1.cgroups"..." type=io.containerd.monitor.v1
2020-04-03T01:34:32.717903623Z time="2020-04-03T01:34:32.717832314Z" level=info msg="loading plugin "io.containerd.service.v1.tasks-service"..." type=io.containerd.service.v1
2020-04-03T01:34:32.717995956Z time="2020-04-03T01:34:32.717949022Z" level=info msg="loading plugin "io.containerd.internal.v1.restart"..." type=io.containerd.internal.v1
2020-04-03T01:34:32.718098814Z time="2020-04-03T01:34:32.718046387Z" level=info msg="loading plugin "io.containerd.grpc.v1.containers"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718161993Z time="2020-04-03T01:34:32.718124162Z" level=info msg="loading plugin "io.containerd.grpc.v1.content"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718230907Z time="2020-04-03T01:34:32.718188069Z" level=info msg="loading plugin "io.containerd.grpc.v1.diff"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718294312Z time="2020-04-03T01:34:32.718257134Z" level=info msg="loading plugin "io.containerd.grpc.v1.events"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718354806Z time="2020-04-03T01:34:32.718318503Z" level=info msg="loading plugin "io.containerd.grpc.v1.healthcheck"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718415562Z time="2020-04-03T01:34:32.718378300Z" level=info msg="loading plugin "io.containerd.grpc.v1.images"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718484346Z time="2020-04-03T01:34:32.718440903Z" level=info msg="loading plugin "io.containerd.grpc.v1.leases"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718545308Z time="2020-04-03T01:34:32.718508917Z" level=info msg="loading plugin "io.containerd.grpc.v1.namespaces"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718611208Z time="2020-04-03T01:34:32.718569155Z" level=info msg="loading plugin "io.containerd.internal.v1.opt"..." type=io.containerd.internal.v1
2020-04-03T01:34:32.718874891Z time="2020-04-03T01:34:32.718826697Z" level=info msg="loading plugin "io.containerd.grpc.v1.snapshots"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.718939411Z time="2020-04-03T01:34:32.718902307Z" level=info msg="loading plugin "io.containerd.grpc.v1.tasks"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.719006314Z time="2020-04-03T01:34:32.718963887Z" level=info msg="loading plugin "io.containerd.grpc.v1.version"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.719066066Z time="2020-04-03T01:34:32.719030047Z" level=info msg="loading plugin "io.containerd.grpc.v1.introspection"..." type=io.containerd.grpc.v1
2020-04-03T01:34:32.719315055Z time="2020-04-03T01:34:32.719267978Z" level=info msg=serving... address="/var/run/docker/containerd/containerd-debug.sock"
2020-04-03T01:34:32.719461675Z time="2020-04-03T01:34:32.719405747Z" level=info msg=serving... address="/var/run/docker/containerd/containerd.sock"
2020-04-03T01:34:32.719549585Z time="2020-04-03T01:34:32.719512771Z" level=info msg="containerd successfully booted in 0.029715s"
2020-04-03T01:34:32.728668930Z time="2020-04-03T01:34:32.728490454Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc0008140d0, READY" module=grpc
2020-04-03T01:34:32.735352806Z time="2020-04-03T01:34:32.735233025Z" level=info msg="Setting the storage driver from the $DOCKER_DRIVER environment variable (overlay2)"
2020-04-03T01:34:32.735662540Z time="2020-04-03T01:34:32.735599233Z" level=info msg="parsed scheme: \"unix\"" module=grpc
2020-04-03T01:34:32.735764479Z time="2020-04-03T01:34:32.735684695Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
2020-04-03T01:34:32.735798810Z time="2020-04-03T01:34:32.735739074Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] }" module=grpc
2020-04-03T01:34:32.735893543Z time="2020-04-03T01:34:32.735825146Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
2020-04-03T01:34:32.736033486Z time="2020-04-03T01:34:32.735969071Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc00081a590, CONNECTING" module=grpc
2020-04-03T01:34:32.736136312Z time="2020-04-03T01:34:32.736030954Z" level=info msg="blockingPicker: the picked transport is not ready, loop back to repick" module=grpc
2020-04-03T01:34:32.736576647Z time="2020-04-03T01:34:32.736460126Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc00081a590, READY" module=grpc
2020-04-03T01:34:32.737068579Z time="2020-04-03T01:34:32.736991909Z" level=info msg="parsed scheme: \"unix\"" module=grpc
2020-04-03T01:34:32.737190987Z time="2020-04-03T01:34:32.737136119Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
2020-04-03T01:34:32.737261974Z time="2020-04-03T01:34:32.737202453Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] }" module=grpc
2020-04-03T01:34:32.737653516Z time="2020-04-03T01:34:32.737280114Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
2020-04-03T01:34:32.737663878Z time="2020-04-03T01:34:32.737363699Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc00081aa20, CONNECTING" module=grpc
2020-04-03T01:34:32.738233446Z time="2020-04-03T01:34:32.737777178Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc00081aa20, READY" module=grpc
2020-04-03T01:34:32.809531822Z time="2020-04-03T01:34:32.809405881Z" level=warning msg="Your kernel does not support swap memory limit"
2020-04-03T01:34:32.809551088Z time="2020-04-03T01:34:32.809431088Z" level=warning msg="Your kernel does not support cgroup rt period"
2020-04-03T01:34:32.809556548Z time="2020-04-03T01:34:32.809439409Z" level=warning msg="Your kernel does not support cgroup rt runtime"
2020-04-03T01:34:32.809808149Z time="2020-04-03T01:34:32.809731584Z" level=info msg="Loading containers: start."
2020-04-03T01:34:32.851927650Z time="2020-04-03T01:34:32.851537412Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: ip: can't find device 'bridge'\nbridge 188416 1 br_netfilter\nstp 16384 1 bridge\nllc 16384 2 bridge,stp\nip: can't find device 'br_netfilter'\nbr_netfilter 24576 0 \nbridge 188416 1 br_netfilter\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n, error: exit status 1"
2020-04-03T01:34:32.870455898Z time="2020-04-03T01:34:32.870243363Z" level=warning msg="Running modprobe nf_nat failed with message: `ip: can't find device 'nf_nat'\nnf_nat_ipv4 16384 3 iptable_nat,ipt_MASQUERADE,nft_chain_nat_ipv4\nnf_nat 36864 2 xt_nat,nf_nat_ipv4\nnf_conntrack 172032 6 xt_nat,xt_conntrack,ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,nf_nat\nlibcrc32c 16384 4 btrfs,xfs,nf_nat,nf_conntrack\nmodprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1"
2020-04-03T01:34:32.885600435Z time="2020-04-03T01:34:32.884361108Z" level=warning msg="Running modprobe xt_conntrack failed with message: `ip: can't find device 'xt_conntrack'\nxt_conntrack 16384 3 \nnf_conntrack 172032 6 xt_nat,xt_conntrack,ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,nf_nat\nx_tables 45056 8 iptable_filter,xt_nat,xt_tcpudp,xt_conntrack,ipt_MASQUERADE,xt_addrtype,nft_compat,ip_tables\nmodprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1"
2020-04-03T01:34:33.072624182Z time="2020-04-03T01:34:33.072466846Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.18.0.0/16. Daemon option --bip can be used to set a preferred IP address"
2020-04-03T01:34:33.152499883Z time="2020-04-03T01:34:33.148646364Z" level=info msg="Loading containers: done."
2020-04-03T01:34:33.193151314Z time="2020-04-03T01:34:33.193010180Z" level=info msg="Docker daemon" commit=aeac9490dc graphdriver(s)=overlay2 version=19.03.0
2020-04-03T01:34:33.193242815Z time="2020-04-03T01:34:33.193187556Z" level=info msg="Daemon has completed initialization"
2020-04-03T01:34:33.273645653Z time="2020-04-03T01:34:33.273465530Z" level=info msg="API listen on [::]:2375"
2020-04-03T01:34:33.273660467Z time="2020-04-03T01:34:33.273487771Z" level=info msg="API listen on /var/run/docker.sock"
�[0;33m*********�[0;m
�[0KAuthenticating with credentials from $DOCKER_AUTH_CONFIG
�[0;m�[0KPulling docker image registry.picasoft.net/pica-ci-base ...
�[0;m�[0KUsing docker image sha256:31f9b58ca7552cdd0ba64e295952a2bef4a246425c48d8ee557bea136107806e for registry.picasoft.net/pica-ci-base ...
�[0;msection_end:1585877678:prepare_executor
�[0Ksection_start:1585877678:prepare_script
�[0KRunning on runner-fyUVS7Hz-project-1304-concurrent-0 via pica01-test...
section_end:1585877680:prepare_script
�[0Ksection_start:1585877680:get_sources
�[0K�[32;1mFetching changes...�[0;m
Reinitialized existing Git repository in /builds/picasoft/projets/dockerfiles/.git/
�[32;1mChecking out 078d448a as master...�[0;m
Removing variables
�[32;1mSkipping Git submodules setup�[0;m
section_end:1585877681:get_sources
�[0Ksection_start:1585877681:restore_cache
�[0K�[32;1mChecking cache for default-1...�[0;m
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted.�[0;m
�[32;1mSuccessfully extracted cache�[0;m
section_end:1585877683:restore_cache
�[0Ksection_start:1585877683:download_artifacts
�[0Ksection_end:1585877684:download_artifacts
�[0Ksection_start:1585877684:build_script
�[0K�[0KAuthenticating with credentials from $DOCKER_AUTH_CONFIG
�[0;m�[32;1m$ echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin�[0;m
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
�[32;1m$ source variables�[0;m
�[32;1m$ docker pull $MODIFIED_IMAGE_FULL_TEST�[0;m
1.0: Pulling from pica-db-backup-rotation
c499e6d256d6: Pulling fs layer
62b0f1bf7919: Pulling fs layer
3b19c64bdfee: Pulling fs layer
196a2aed8498: Pulling fs layer
6230be1200bd: Pulling fs layer
65fc64ccc3b3: Pulling fs layer
1e77cec3cb11: Pulling fs layer
e25ac7f7b635: Pulling fs layer
6230be1200bd: Waiting
65fc64ccc3b3: Waiting
1e77cec3cb11: Waiting
e25ac7f7b635: Waiting
196a2aed8498: Waiting
62b0f1bf7919: Verifying Checksum
62b0f1bf7919: Download complete
c499e6d256d6: Verifying Checksum
c499e6d256d6: Download complete
3b19c64bdfee: Verifying Checksum
3b19c64bdfee: Download complete
c499e6d256d6: Pull complete
196a2aed8498: Verifying Checksum
196a2aed8498: Download complete
1e77cec3cb11: Verifying Checksum
1e77cec3cb11: Download complete
6230be1200bd: Verifying Checksum
6230be1200bd: Download complete
e25ac7f7b635: Verifying Checksum
e25ac7f7b635: Download complete
62b0f1bf7919: Pull complete
65fc64ccc3b3: Verifying Checksum
65fc64ccc3b3: Download complete
3b19c64bdfee: Pull complete
196a2aed8498: Pull complete
6230be1200bd: Pull complete
65fc64ccc3b3: Pull complete
1e77cec3cb11: Pull complete
e25ac7f7b635: Pull complete
Digest: sha256:166537580b43cbe6d05324017669212aff979b219bb1c1a21892409d57487f02
Status: Downloaded newer image for registry.test.picasoft.net/pica-db-backup-rotation:1.0
registry.test.picasoft.net/pica-db-backup-rotation:1.0
�[32;1m$ docker run -d --name db arminc/clair-db:latest�[0;m
Unable to find image 'arminc/clair-db:latest' locally
latest: Pulling from arminc/clair-db
c9b1b535fdd9: Pulling fs layer
d1030c456d04: Pulling fs layer
d1d0211bbd9a: Pulling fs layer
07d0560c0a3f: Pulling fs layer
ce7fd4584a5f: Pulling fs layer
63eb0325fe1c: Pulling fs layer
b67486507716: Pulling fs layer
f58de2b85820: Pulling fs layer
ca982626dd56: Pulling fs layer
7125799b7483: Pulling fs layer
63eb0325fe1c: Waiting
b67486507716: Waiting
f58de2b85820: Waiting
ca982626dd56: Waiting
7125799b7483: Waiting
ce7fd4584a5f: Waiting
d1d0211bbd9a: Verifying Checksum
d1d0211bbd9a: Download complete
d1030c456d04: Verifying Checksum
d1030c456d04: Download complete
c9b1b535fdd9: Verifying Checksum
c9b1b535fdd9: Download complete
c9b1b535fdd9: Pull complete
d1030c456d04: Pull complete
d1d0211bbd9a: Pull complete
ce7fd4584a5f: Verifying Checksum
ce7fd4584a5f: Download complete
63eb0325fe1c: Verifying Checksum
63eb0325fe1c: Download complete
b67486507716: Verifying Checksum
b67486507716: Download complete
07d0560c0a3f: Verifying Checksum
07d0560c0a3f: Download complete
07d0560c0a3f: Pull complete
ce7fd4584a5f: Pull complete
63eb0325fe1c: Pull complete
b67486507716: Pull complete
ca982626dd56: Verifying Checksum
ca982626dd56: Download complete
7125799b7483: Retrying in 5 seconds
f58de2b85820: Download complete
f58de2b85820: Pull complete
ca982626dd56: Pull complete
7125799b7483: Retrying in 4 seconds
7125799b7483: Retrying in 3 seconds
7125799b7483: Retrying in 2 seconds
7125799b7483: Retrying in 1 second
7125799b7483: Verifying Checksum
7125799b7483: Download complete
7125799b7483: Pull complete
Digest: sha256:1a848ae2efe59a0b6c39312ddcb22e032301f32cf7525528b9a1f96438588991
Status: Downloaded newer image for arminc/clair-db:latest
1b08beec4da079af5390c84f4674c5c63cc687f68aad455b0fc1c40e021470e6
�[32;1m$ docker run -p 6060:6060 -d --link db:postgres --name clair --restart on-failure arminc/clair-local-scan:latest�[0;m
Unable to find image 'arminc/clair-local-scan:latest' locally
latest: Pulling from arminc/clair-local-scan
89d9c30c1d48: Pulling fs layer
8ef94372a977: Pulling fs layer
1ec62c064901: Pulling fs layer
a47b1e89d194: Pulling fs layer
bf1a3d234800: Pulling fs layer
e86df44ff081: Pulling fs layer
e4ea05d3fe20: Pulling fs layer
db83214ca2c8: Pulling fs layer
d25cd0d91d36: Pulling fs layer
a47b1e89d194: Waiting
bf1a3d234800: Waiting
e86df44ff081: Waiting
e4ea05d3fe20: Waiting
d25cd0d91d36: Waiting
8ef94372a977: Verifying Checksum
8ef94372a977: Download complete
1ec62c064901: Verifying Checksum
1ec62c064901: Download complete
89d9c30c1d48: Verifying Checksum
89d9c30c1d48: Pull complete
8ef94372a977: Pull complete
1ec62c064901: Pull complete
bf1a3d234800: Verifying Checksum
bf1a3d234800: Download complete
e86df44ff081: Verifying Checksum
e86df44ff081: Download complete
a47b1e89d194: Verifying Checksum
a47b1e89d194: Download complete
d25cd0d91d36: Verifying Checksum
d25cd0d91d36: Download complete
db83214ca2c8: Verifying Checksum
db83214ca2c8: Download complete
e4ea05d3fe20: Verifying Checksum
e4ea05d3fe20: Download complete
a47b1e89d194: Pull complete
bf1a3d234800: Pull complete
e86df44ff081: Pull complete
e4ea05d3fe20: Pull complete
db83214ca2c8: Pull complete
d25cd0d91d36: Pull complete
Digest: sha256:ee4cea994878aaac3d35ad11fb843f6e506359aba74a6d23093905190753f094
Status: Downloaded newer image for arminc/clair-local-scan:latest
4759c0477d948c01f029511a3845a8bb1f23f9148d8fd88c4fe7c3f6b7caa228
�[32;1m$ wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64�[0;m
--2020-04-03 01:35:51-- https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
Resolving github.com... 140.82.118.4
Connecting to github.com|140.82.118.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/86972405/4061695e-f44f-11e7-97fe-da8073f4908c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200403%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200403T013551Z&X-Amz-Expires=300&X-Amz-Signature=c3359f07f7d0409818e7eac964e0c1c57979d69cbfe5b710b10fb6c48f2bb4f1&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dclair-scanner_linux_amd64&response-content-type=application%2Foctet-stream [following]
--2020-04-03 01:35:51-- https://github-production-release-asset-2e65be.s3.amazonaws.com/86972405/4061695e-f44f-11e7-97fe-da8073f4908c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200403%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200403T013551Z&X-Amz-Expires=300&X-Amz-Signature=c3359f07f7d0409818e7eac964e0c1c57979d69cbfe5b710b10fb6c48f2bb4f1&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dclair-scanner_linux_amd64&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 52.217.41.36
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|52.217.41.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9862522 (9.4M) [application/octet-stream]
Saving to: 'clair-scanner_linux_amd64'
0K .......... .......... .......... .......... .......... 0% 568K 17s
50K .......... .......... .......... .......... .......... 1% 295K 25s
100K .......... .......... .......... .......... .......... 1% 133K 40s
150K .......... .......... .......... .......... .......... 2% 371K 36s
200K .......... .......... .......... .......... .......... 2% 237K 37s
250K .......... .......... .......... .......... .......... 3% 232K 37s
300K .......... .......... .......... .......... .......... 3% 164K 40s
350K .......... .......... .......... .......... .......... 4% 108K 45s
400K .......... .......... .......... .......... .......... 4% 122K 48s
450K .......... .......... .......... .......... .......... 5% 127K 50s
500K .......... .......... .......... .......... .......... 5% 119K 53s
550K .......... .......... .......... .......... .......... 6% 146K 53s
600K .......... .......... .......... .......... .......... 6% 149K 53s
650K .......... .......... .......... .......... .......... 7% 133K 54s
700K .......... .......... .......... .......... .......... 7% 227K 53s
750K .......... .......... .......... .......... .......... 8% 190K 52s
800K .......... .......... .......... .......... .......... 8% 133K 53s
850K .......... .......... .......... .......... .......... 9% 201K 52s
900K .......... .......... .......... .......... .......... 9% 116K 53s
950K .......... .......... .......... .......... .......... 10% 98.3K 54s
1000K .......... .......... .......... .......... .......... 10% 106K 55s
1050K .......... .......... .......... .......... .......... 11% 132K 55s
1100K .......... .......... .......... .......... .......... 11% 96.6K 56s
1150K .......... .......... .......... .......... .......... 12% 117K 57s
1200K .......... .......... .......... .......... .......... 12% 147K 56s
1250K .......... .......... .......... .......... .......... 13% 116K 57s
1300K .......... .......... .......... .......... .......... 14% 65.3K 59s
1350K .......... .......... .......... .......... .......... 14% 147K 59s
1400K .......... .......... .......... .......... .......... 15% 117K 59s
1450K .......... .......... .......... .......... .......... 15% 116K 59s
1500K .......... .......... .......... .......... .......... 16% 98.6K 59s
1550K .......... .......... .......... .......... .......... 16% 118K 59s
1600K .......... .......... .......... .......... .......... 17% 117K 59s
1650K .......... .......... .......... .......... .......... 17% 117K 59s
1700K .......... .......... .......... .......... .......... 18% 129K 58s
1750K .......... .......... .......... .......... .......... 18% 132K 58s
1800K .......... .......... .......... .......... .......... 19% 90.1K 59s
1850K .......... .......... .......... .......... .......... 19% 97.8K 59s
1900K .......... .......... .......... .......... .......... 20% 68.9K 60s
1950K .......... .......... .......... .......... .......... 20% 84.0K 60s
2000K .......... .......... .......... .......... .......... 21% 107K 60s
2050K .......... .......... .......... .......... .......... 21% 147K 59s
2100K .......... .......... .......... .......... .......... 22% 146K 59s
2150K .......... .......... .......... .......... .......... 22% 83.9K 59s
2200K .......... .......... .......... .......... .......... 23% 61.9K 60s
2250K .......... .......... .......... .......... .......... 23% 147K 59s
2300K .......... .......... .......... .......... .......... 24% 145K 59s
2350K .......... .......... .......... .......... .......... 24% 118K 59s
2400K .......... .......... .......... .......... .......... 25% 147K 58s
2450K .......... .......... .......... .......... .......... 25% 118K 58s
2500K .......... .......... .......... .......... .......... 26% 97.6K 57s
2550K .......... .......... .......... .......... .......... 26% 118K 57s
2600K .......... .......... .......... .......... .......... 27% 116K 57s
2650K .......... .......... .......... .......... .......... 28% 98.9K 57s
2700K .......... .......... .......... .......... .......... 28% 97.9K 56s
2750K .......... .......... .......... .......... .......... 29% 117K 56s
2800K .......... .......... .......... .......... .......... 29% 146K 56s
2850K .......... .......... .......... .......... .......... 30% 147K 55s
2900K .......... .......... .......... .......... .......... 30% 98.4K 55s
2950K .......... .......... .......... .......... .......... 31% 98.0K 55s
3000K .......... .......... .......... .......... .......... 31% 117K 54s
3050K .......... .......... .......... .......... .......... 32% 98.2K 54s
3100K .......... .......... .......... .......... .......... 32% 147K 53s
3150K .......... .......... .......... .......... .......... 33% 146K 53s
3200K .......... .......... .......... .......... .......... 33% 118K 52s
3250K .......... .......... .......... .......... .......... 34% 117K 52s
3300K .......... .......... .......... .......... .......... 34% 117K 52s
3350K .......... .......... .......... .......... .......... 35% 97.8K 51s
3400K .......... .......... .......... .......... .......... 35% 196K 51s
3450K .......... .......... .......... .......... .......... 36% 117K 50s
3500K .......... .......... .......... .......... .......... 36% 73.6K 50s
3550K .......... .......... .......... .......... .......... 37% 47.0K 51s
3600K .......... .......... .......... .......... .......... 37% 78.5K 51s
3650K .......... .......... .......... .......... .......... 38% 117K 51s
3700K .......... .......... .......... .......... .......... 38% 107K 50s
3750K .......... .......... .......... .......... .......... 39% 118K 50s
3800K .......... .......... .......... .......... .......... 39% 107K 49s
3850K .......... .......... .......... .......... .......... 40% 116K 49s
3900K .......... .......... .......... .......... .......... 41% 119K 49s
3950K .......... .......... .......... .......... .......... 41% 97.9K 48s
4000K .......... .......... .......... .......... .......... 42% 97.8K 48s
4050K .......... .......... .......... .......... .......... 42% 65.3K 48s
4100K .......... .......... .......... .......... .......... 43% 117K 48s
4150K .......... .......... .......... .......... .......... 43% 117K 47s
4200K .......... .......... .......... .......... .......... 44% 147K 47s
4250K .......... .......... .......... .......... .......... 44% 196K 46s
4300K .......... .......... .......... .......... .......... 45% 194K 45s
4350K .......... .......... .......... .......... .......... 45% 147K 45s
4400K .......... .......... .......... .......... .......... 46% 118K 44s
4450K .......... .......... .......... .......... .......... 46% 118K 44s
4500K .......... .......... .......... .......... .......... 47% 118K 43s
4550K .......... .......... .......... .......... .......... 47% 116K 43s
4600K .......... .......... .......... .......... .......... 48% 147K 43s
4650K .......... .......... .......... .......... .......... 48% 146K 42s
4700K .......... .......... .......... .......... .......... 49% 98.0K 42s
4750K .......... .......... .......... .......... .......... 49% 73.4K 41s
4800K .......... .......... .......... .......... .......... 50% 58.7K 41s
4850K .......... .......... .......... .......... .......... 50% 73.4K 41s
4900K .......... .......... .......... .......... .......... 51% 87.0K 41s
4950K .......... .......... .......... .......... .......... 51% 83.9K 41s
5000K .......... .......... .......... .......... .......... 52% 93.9K 40s
5050K .......... .......... .......... .......... .......... 52% 83.8K 40s
5100K .......... .......... .......... .......... .......... 53% 102K 40s
5150K .......... .......... .......... .......... .......... 53% 87.2K 39s
5200K .......... .......... .......... .......... .......... 54% 93.8K 39s
5250K .......... .......... .......... .......... .......... 55% 83.9K 39s
5300K .......... .......... .......... .......... .......... 55% 87.1K 38s
5350K .......... .......... .......... .......... .......... 56% 87.0K 38s
5400K .......... .......... .......... .......... .......... 56% 117K 37s
5450K .......... .......... .......... .......... .......... 57% 146K 37s
5500K .......... .......... .......... .......... .......... 57% 117K 36s
5550K .......... .......... .......... .......... .......... 58% 147K 36s
5600K .......... .......... .......... .......... .......... 58% 117K 35s
5650K .......... .......... .......... .......... .......... 59% 87.9K 35s
5700K .......... .......... .......... .......... .......... 59% 147K 35s
5750K .......... .......... .......... .......... .......... 60% 147K 34s
5800K .......... .......... .......... .......... .......... 60% 136K 34s
5850K .......... .......... .......... .......... .......... 61% 158K 33s
5900K .......... .......... .......... .......... .......... 61% 192K 33s
5950K .......... .......... .......... .......... .......... 62% 201K 32s
6000K .......... .......... .......... .......... .......... 62% 196K 31s
6050K .......... .......... .......... .......... .......... 63% 171K 31s
6100K .......... .......... .......... .......... .......... 63% 205K 30s
6150K .......... .......... .......... .......... .......... 64% 162K 30s
6200K .......... .......... .......... .......... .......... 64% 196K 29s
6250K .......... .......... .......... .......... .......... 65% 173K 29s
6300K .......... .......... .......... .......... .......... 65% 196K 28s
6350K .......... .......... .......... .......... .......... 66% 154K 28s
6400K .......... .......... .......... .......... .......... 66% 269K 27s
6450K .......... .......... .......... .......... .......... 67% 118K 27s
6500K .......... .......... .......... .......... .......... 68% 293K 26s
6550K .......... .......... .......... .......... .......... 68% 118K 26s
6600K .......... .......... .......... .......... .......... 69% 126K 25s
6650K .......... .......... .......... .......... .......... 69% 147K 25s
6700K .......... .......... .......... .......... .......... 70% 117K 24s
6750K .......... .......... .......... .......... .......... 70% 135K 24s
6800K .......... .......... .......... .......... .......... 71% 147K 24s
6850K .......... .......... .......... .......... .......... 71% 97.8K 23s
6900K .......... .......... .......... .......... .......... 72% 77.0K 23s
6950K .......... .......... .......... .......... .......... 72% 92.3K 22s
7000K .......... .......... .......... .......... .......... 73% 90.5K 22s
7050K .......... .......... .......... .......... .......... 73% 129K 22s
7100K .......... .......... .......... .......... .......... 74% 132K 21s
7150K .......... .......... .......... .......... .......... 74% 147K 21s
7200K .......... .......... .......... .......... .......... 75% 165K 20s
7250K .......... .......... .......... .......... .......... 75% 117K 20s
7300K .......... .......... .......... .......... .......... 76% 147K 19s
7350K .......... .......... .......... .......... .......... 76% 195K 19s
7400K .......... .......... .......... .......... .......... 77% 117K 19s
7450K .......... .......... .......... .......... .......... 77% 118K 18s
7500K .......... .......... .......... .......... .......... 78% 117K 18s
7550K .......... .......... .......... .......... .......... 78% 58.8K 17s
7600K .......... .......... .......... .......... .......... 79% 132K 17s
7650K .......... .......... .......... .......... .......... 79% 196K 16s
7700K .......... .......... .......... .......... .......... 80% 106K 16s
7750K .......... .......... .......... .......... .......... 80% 170K 16s
7800K .......... .......... .......... .......... .......... 81% 118K 15s
7850K .......... .......... .......... .......... .......... 82% 97.9K 15s
7900K .......... .......... .......... .......... .......... 82% 117K 14s
7950K .......... .......... .......... .......... .......... 83% 146K 14s
8000K .......... .......... .......... .......... .......... 83% 130K 13s
8050K .......... .......... .......... .......... .......... 84% 147K 13s
8100K .......... .......... .......... .......... .......... 84% 90.9K 13s
8150K .......... .......... .......... .......... .......... 85% 196K 12s
8200K .......... .......... .......... .......... .......... 85% 107K 12s
8250K .......... .......... .......... .......... .......... 86% 131K 11s
8300K .......... .......... .......... .......... .......... 86% 167K 11s
8350K .......... .......... .......... .......... .......... 87% 196K 10s
8400K .......... .......... .......... .......... .......... 87% 167K 10s
8450K .......... .......... .......... .......... .......... 88% 55.0K 10s
8500K .......... .......... .......... .......... .......... 88% 147K 9s
8550K .......... .......... .......... .......... .......... 89% 97.9K 9s
8600K .......... .......... .......... .......... .......... 89% 98.0K 8s
8650K .......... .......... .......... .......... .......... 90% 98.0K 8s
8700K .......... .......... .......... .......... .......... 90% 115K 8s
8750K .......... .......... .......... .......... .......... 91% 58.4K 7s
8800K .......... .......... .......... .......... .......... 91% 66.3K 7s
8850K .......... .......... .......... .......... .......... 92% 109K 6s
8900K .......... .......... .......... .......... .......... 92% 118K 6s
8950K .......... .......... .......... .......... .......... 93% 97.9K 5s
9000K .......... .......... .......... .......... .......... 93% 96.7K 5s
9050K .......... .......... .......... .......... .......... 94% 17.7K 5s
9100K .......... .......... .......... .......... .......... 95% 64.5K 4s
9150K .......... .......... .......... .......... .......... 95% 66.1K 4s
9200K .......... .......... .......... .......... .......... 96% 98.1K 3s
9250K .......... .......... .......... .......... .......... 96% 128K 3s
9300K .......... .......... .......... .......... .......... 97% 112K 3s
9350K .......... .......... .......... .......... .......... 97% 54.8K 2s
9400K .......... .......... .......... .......... .......... 98% 38.3K 2s
9450K .......... .......... .......... .......... .......... 98% 71.8K 1s
9500K .......... .......... .......... .......... .......... 99% 82.2K 1s
9550K .......... .......... .......... .......... .......... 99% 50.9K 0s
9600K .......... .......... .......... . 100% 73.7K=89s
2020-04-03 01:37:20 (109 KB/s) - 'clair-scanner_linux_amd64' saved [9862522/9862522]
�[32;1m$ mv clair-scanner_linux_amd64 clair-scanner�[0;m
�[32;1m$ chmod +x clair-scanner�[0;m
�[32;1m$ while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done�[0;m
�[32;1m$ ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-report.json -l clair.log -w $MODIFIED_IMAGE/clair-whitelist.yml --threshold="High" $MODIFIED_IMAGE_FULL_TEST�[0;m
2020/04/03 01:37:20 �[0;32m[INFO] ▶ Start clair-scanner�[0m
2020/04/03 01:37:31 �[0;32m[INFO] ▶ Server listening on port 9279�[0m
2020/04/03 01:37:31 �[0;32m[INFO] ▶ Analyzing 5d34e2a2e9440ce004a16b5303eba700283a592dbfda39ca0326109143085c23�[0m
2020/04/03 01:37:33 �[0;32m[INFO] ▶ Analyzing e56ccff3bf29569f476e0b46f80d1feeb02ab4f933b0cfe2dee9d0868df651a4�[0m
2020/04/03 01:37:33 �[0;32m[INFO] ▶ Analyzing 11ee843ccfa994a6ba9a331a7f60a07f410593a3b3914872a28fdd0951bf4bed�[0m
2020/04/03 01:37:33 �[0;32m[INFO] ▶ Analyzing 9bd9e9bd1bca0d3a5780f831787c77242820e8dd7a8cbbd70bcd1ea4621a5218�[0m
2020/04/03 01:37:33 �[0;32m[INFO] ▶ Analyzing 7bfbaa09f001e4aafd1c636b942f429a069bcb43eb39d15cad7be685d0186c62�[0m
2020/04/03 01:37:33 �[0;32m[INFO] ▶ Analyzing 428f5dbfef31ac1a8f783557b8dae01efaebb4dbc3099fd1cf2f31ded28a9789�[0m
2020/04/03 01:37:34 �[0;32m[INFO] ▶ Analyzing b8cc055700cb3036b3cb91ad126c639d413f58a159ae3e8bb2ea11f2ecd5561b�[0m
2020/04/03 01:37:34 �[0;32m[INFO] ▶ Analyzing 7cac26237aed6dd9974aad3ce665f7baa3ad67a9fd0d3c2552a793966b252c16�[0m
2020/04/03 01:37:34 �[0;33m[WARN] ▶ Image [registry.test.picasoft.net/pica-db-backup-rotation:1.0] contains 73 total vulnerabilities�[0m
2020/04/03 01:37:34 �[0;31m[ERRO] ▶ Image [registry.test.picasoft.net/pica-db-backup-rotation:1.0] contains 1 unapproved vulnerabilities�[0m
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | High CVE-2019-17455 | libntlm | 1.5-1 | Libntlm through 1.5 relies on a fixed buffer size |
| | | | | for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, |
| | | | | and tSmbNtlmAuthResponse read and write |
| | | | | operations, as demonstrated by a stack-based |
| | | | | buffer over-read in buildSmbNtlmAuthRequest |
| | | | | in smbutil.c for a crafted NTLM request. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-17455 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;31mUnapproved�[0m | High CVE-2020-8492 | python2.7 | 2.7.16-2+deb10u1 | Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 |
| | | | | through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 |
| | | | | allows an HTTP server to conduct Regular Expression |
| | | | | Denial of Service (ReDoS) attacks against a client |
| | | | | because of urllib.request.AbstractBasicAuthHandler |
| | | | | catastrophic backtracking. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2020-8492 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Medium CVE-2019-12290 | libidn2 | 2.0.5-1+deb10u1 | GNU libidn2 before 2.2.0 fails to perform the roundtrip |
| | | | | checks specified in RFC3490 Section 4.2 when converting |
| | | | | A-labels to U-labels. This makes it possible in some |
| | | | | circumstances for one domain to impersonate another. |
| | | | | By creating a malicious domain that matches a target |
| | | | | domain except for the inclusion of certain punycoded |
| | | | | Unicode characters (that would be discarded when |
| | | | | converted first to a Unicode label and then back to an |
| | | | | ASCII label), arbitrary domains can be impersonated. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-12290 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Medium CVE-2019-19603 | sqlite3 | 3.27.2-3 | SQLite 3.30.1 mishandles certain SELECT statements with |
| | | | | a nonexistent VIEW, leading to an application crash. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19603 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Medium CVE-2019-16168 | sqlite3 | 3.27.2-3 | In SQLite through 3.29.0, whereLoopAddBtreeIndex in |
| | | | | sqlite3.c can crash a browser or other application |
| | | | | because of missing validation of a sqlite_stat1 sz field, |
| | | | | aka a "severe division by zero in the query planner." |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-16168 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Medium CVE-2019-20218 | sqlite3 | 3.27.2-3 | selectExpander in select.c in SQLite 3.30.1 proceeds |
| | | | | with WITH stack unwinding even after a parsing error. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-20218 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Medium CVE-2018-12886 | gcc-8 | 8.3.0-6 | stack_protect_prologue in cfgexpand.c and |
| | | | | stack_protect_epilogue in function.c in GNU Compiler |
| | | | | Collection (GCC) 4.1 through 8 (under certain |
| | | | | circumstances) generate instruction sequences when |
| | | | | targeting ARM targets that spill the address of |
| | | | | the stack protector guard, which allows an attacker |
| | | | | to bypass the protection of -fstack-protector, |
| | | | | -fstack-protector-all, -fstack-protector-strong, and |
| | | | | -fstack-protector-explicit against stack overflow by |
| | | | | controlling what the stack canary is compared against. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2018-12886 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2016-10228 | glibc | 2.28-10 | The iconv program in the GNU C Library (aka glibc or |
| | | | | libc6) 2.25 and earlier, when invoked with the -c option, |
| | | | | enters an infinite loop when processing invalid multi-byte |
| | | | | input sequences, leading to a denial of service. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2016-10228 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-20386 | systemd | 241-7~deb10u3 | An issue was discovered in button_open |
| | | | | in login/logind-button.c in systemd |
| | | | | before 243. When executing the udevadm |
| | | | | trigger command, a memory leak may occur. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-20386 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-1551 | openssl | 1.1.1d-0+deb10u2 | There is an overflow bug in the x64_64 Montgomery |
| | | | | squaring procedure used in exponentiation with 512-bit |
| | | | | moduli. No EC algorithms are affected. Analysis suggests |
| | | | | that attacks against 2-prime RSA1024, 3-prime RSA1536, |
| | | | | and DSA1024 as a result of this defect would be very |
| | | | | difficult to perform and are not believed likely. |
| | | | | Attacks against DH512 are considered just feasible. |
| | | | | However, for an attack the target would have to re-use |
| | | | | the DH512 private key, which is not recommended anyway. |
| | | | | Also applications directly using the low level API |
| | | | | BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. |
| | | | | Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). |
| | | | | Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t). |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-1551 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2016-2781 | coreutils | 8.30-3 | chroot in GNU coreutils, when used with --userspec, |
| | | | | allows local users to escape to the parent session |
| | | | | via a crafted TIOCSTI ioctl call, which pushes |
| | | | | characters to the terminal's input buffer. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2016-2781 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-13627 | libgcrypt20 | 1.8.4-5 | It was discovered that there was a ECDSA timing attack |
| | | | | in the libgcrypt20 cryptographic library. Version |
| | | | | affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. |
| | | | | Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-13627 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2018-7169 | shadow | 1:4.5-1.1 | An issue was discovered in shadow 4.5. newgidmap (in |
| | | | | shadow-utils) is setuid and allows an unprivileged |
| | | | | user to be placed in a user namespace where |
| | | | | setgroups(2) is permitted. This allows an attacker |
| | | | | to remove themselves from a supplementary group, |
| | | | | which may allow access to certain filesystem paths |
| | | | | if the administrator has used "group blacklisting" |
| | | | | (e.g., chmod g-rwx) to restrict access to paths. |
| | | | | This flaw effectively reverts a security feature in |
| | | | | the kernel (in particular, the /proc/self/setgroups |
| | | | | knob) to prevent this sort of privilege escalation. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2018-7169 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-18276 | bash | 5.0-4 | An issue was discovered in disable_priv_mode in shell.c in |
| | | | | GNU Bash through 5.0 patch 11. By default, if Bash is run |
| | | | | with its effective UID not equal to its real UID, it will |
| | | | | drop privileges by setting its effective UID to its real |
| | | | | UID. However, it does so incorrectly. On Linux and other |
| | | | | systems that support "saved UID" functionality, the saved |
| | | | | UID is not dropped. An attacker with command execution in |
| | | | | the shell can use "enable -f" for runtime loading of a new |
| | | | | builtin, which can be a shared object that calls setuid() |
| | | | | and therefore regains privileges. However, binaries |
| | | | | running with an effective UID of 0 are unaffected. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-18276 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-17543 | lz4 | 1.8.3-1 | LZ4 before 1.9.2 has a heap-based buffer overflow |
| | | | | in LZ4_write32 (related to LZ4_compress_destSize), |
| | | | | affecting applications that call LZ4_compress_fast |
| | | | | with a large input. (This issue can also lead to |
| | | | | data corruption.) NOTE: the vendor states "only a few |
| | | | | specific / uncommon usages of the API are at risk." |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-17543 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-19645 | sqlite3 | 3.27.2-3 | alter.c in SQLite through 3.30.1 allows |
| | | | | attackers to trigger infinite recursion via |
| | | | | certain types of self-referential views in |
| | | | | conjunction with ALTER TABLE statements. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19645 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2020-10029 | glibc | 2.28-10 | The GNU C Library (aka glibc or libc6) before 2.32 could |
| | | | | overflow an on-stack buffer during range reduction if |
| | | | | an input to an 80-bit long double function contains |
| | | | | a non-canonical bit pattern, a seen when passing a |
| | | | | 0x5d414141414141410000 value to sinl on x86 targets. This |
| | | | | is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2020-10029 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-15847 | gcc-8 | 8.3.0-6 | The POWER9 backend in GNU Compiler Collection (GCC) |
| | | | | before version 10 could optimize multiple calls of |
| | | | | the __builtin_darn intrinsic into a single call, thus |
| | | | | reducing the entropy of the random number generator. This |
| | | | | occurred because a volatile operation was not specified. |
| | | | | For example, within a single execution of a program, the |
| | | | | output of every __builtin_darn() call may be the same. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-15847 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Low CVE-2019-14855 | gnupg2 | 2.2.12-1+deb10u1 | A flaw was found in the way certificate signatures |
| | | | | could be forged using collisions found in the |
| | | | | SHA-1 algorithm. An attacker could use this |
| | | | | weakness to create forged certificate signatures. |
| | | | | This issue affects GnuPG versions before 2.2.18. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-14855 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2007-6755 | openssl | 1.1.1d-0+deb10u2 | The NIST SP 800-90A default statement of the Dual Elliptic |
| | | | | Curve Deterministic Random Bit Generation (Dual_EC_DRBG) |
| | | | | algorithm contains point Q constants with a possible |
| | | | | relationship to certain "skeleton key" values, which might |
| | | | | allow context-dependent attackers to defeat cryptographic |
| | | | | protection mechanisms by leveraging knowledge of |
| | | | | those values. NOTE: this is a preliminary CVE for |
| | | | | Dual_EC_DRBG; future research may provide additional |
| | | | | details about point Q and associated attacks, and could |
| | | | | potentially lead to a RECAST or REJECT of this CVE. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2007-6755 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-9192 | glibc | 2.28-10 | ** DISPUTED ** In the GNU C Library (aka glibc or |
| | | | | libc6) through 2.29, check_dst_limits_calc_pos_1 |
| | | | | in posix/regexec.c has Uncontrolled Recursion, as |
| | | | | demonstrated by '(|)(\\1\\1)*' in grep, a different |
| | | | | issue than CVE-2018-20796. NOTE: the software |
| | | | | maintainer disputes that this is a vulnerability because |
| | | | | the behavior occurs only with a crafted pattern. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-9192 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-1010025 | glibc | 2.28-10 | ** DISPUTED ** GNU Libc current is affected by: |
| | | | | Mitigation bypass. The impact is: Attacker may guess |
| | | | | the heap addresses of pthread_created thread. The |
| | | | | component is: glibc. NOTE: the vendor's position |
| | | | | is "ASLR bypass itself is not a vulnerability." |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-1010025 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2013-4235 | shadow | 1:4.5-1.1 | shadow: TOCTOU (time-of-check time-of-use) race |
| | | | | condition when copying and removing directory trees |
| | | | | https://security-tracker.debian.org/tracker/CVE-2013-4235 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2010-4051 | glibc | 2.28-10 | The regcomp implementation in the GNU C Library (aka |
| | | | | glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, |
| | | | | allows context-dependent attackers to cause a denial |
| | | | | of service (application crash) via a regular expression |
| | | | | containing adjacent bounded repetitions that bypass the |
| | | | | intended RE_DUP_MAX limitation, as demonstrated by a |
| | | | | {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c |
| | | | | exploit for ProFTPD, related to a "RE_DUP_MAX overflow." |
| | | | | https://security-tracker.debian.org/tracker/CVE-2010-4051 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-1010023 | glibc | 2.28-10 | GNU Libc current is affected by: Re-mapping current loaded |
| | | | | libray with malicious ELF file. The impact is: In worst |
| | | | | case attacker may evaluate privileges. The component is: |
| | | | | libld. The attack vector is: Attacker sends 2 ELF files |
| | | | | to victim and asks to run ldd on it. ldd execute code. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-1010023 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19126 | glibc | 2.28-10 | On the x86-64 architecture, the GNU C Library (aka glibc) |
| | | | | before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC |
| | | | | environment variable during program execution after |
| | | | | a security transition, allowing local attackers to |
| | | | | restrict the possible mapping addresses for loaded |
| | | | | libraries and thus bypass ASLR for a setuid program. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19126 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2010-4756 | glibc | 2.28-10 | The glob implementation in the GNU C Library (aka glibc |
| | | | | or libc6) allows remote authenticated users to cause a |
| | | | | denial of service (CPU and memory consumption) via crafted |
| | | | | glob expressions that do not match any pathnames, as |
| | | | | demonstrated by glob expressions in STAT commands to an |
| | | | | FTP daemon, a different vulnerability than CVE-2010-2632. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2010-4756 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2010-4052 | glibc | 2.28-10 | Stack consumption vulnerability in the regcomp |
| | | | | implementation in the GNU C Library (aka glibc or |
| | | | | libc6) through 2.11.3, and 2.12.x through 2.12.2, |
| | | | | allows context-dependent attackers to cause a |
| | | | | denial of service (resource exhaustion) via a |
| | | | | regular expression containing adjacent repetition |
| | | | | operators, as demonstrated by a {10,}{10,}{10,}{10,} |
| | | | | sequence in the proftpd.gnu.c exploit for ProFTPD. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2010-4052 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2018-20796 | glibc | 2.28-10 | In the GNU C Library (aka glibc or libc6) through |
| | | | | 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c |
| | | | | has Uncontrolled Recursion, as demonstrated |
| | | | | by '(\227|)(\\1\\1|t1|\\\2537)+' in grep. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2018-20796 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-1010022 | glibc | 2.28-10 | GNU Libc current is affected by: Mitigation bypass. |
| | | | | The impact is: Attacker may bypass stack guard |
| | | | | protection. The component is: nptl. The attack vector |
| | | | | is: Exploit stack buffer overflow vulnerability and |
| | | | | use this bypass vulnerability to bypass stack guard. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-1010022 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2007-5686 | shadow | 1:4.5-1.1 | initscripts in rPath Linux 1 sets insecure permissions for |
| | | | | the /var/log/btmp file, which allows local users to obtain |
| | | | | sensitive information regarding authentication attempts. |
| | | | | NOTE: because sshd detects the insecure permissions and |
| | | | | does not log certain events, this also prevents sshd from |
| | | | | logging failed authentication attempts by remote attackers. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2007-5686 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-9893 | libseccomp | 2.3.3-4 | libseccomp before 2.4.0 did not correctly generate 64-bit |
| | | | | syscall argument comparisons using the arithmetic operators |
| | | | | (LT, GT, LE, GE), which might able to lead to bypassing |
| | | | | seccomp filters and potential privilege escalations. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-9893 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-1010024 | glibc | 2.28-10 | GNU Libc current is affected by: Mitigation bypass. |
| | | | | The impact is: Attacker may bypass ASLR using cache |
| | | | | of thread stack and heap. The component is: glibc. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-1010024 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2011-3389 | gnutls28 | 3.6.7-4+deb10u2 | The SSL protocol, as used in certain configurations |
| | | | | in Microsoft Windows and Microsoft Internet Explorer, |
| | | | | Mozilla Firefox, Google Chrome, Opera, and other |
| | | | | products, encrypts data by using CBC mode with chained |
| | | | | initialization vectors, which allows man-in-the-middle |
| | | | | attackers to obtain plaintext HTTP headers via a blockwise |
| | | | | chosen-boundary attack (BCBA) on an HTTPS session, in |
| | | | | conjunction with JavaScript code that uses (1) the HTML5 |
| | | | | WebSocket API, (2) the Java URLConnection API, or (3) |
| | | | | the Silverlight WebClient API, aka a "BEAST" attack. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2011-3389 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19244 | sqlite3 | 3.27.2-3 | sqlite3Select in select.c in SQLite 3.30.1 allows a |
| | | | | crash if a sub-select uses both DISTINCT and window |
| | | | | functions, and also has certain ORDER BY usage. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19244 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19242 | sqlite3 | 3.27.2-3 | SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated |
| | | | | by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19242 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19925 | sqlite3 | 3.27.2-3 | zipfileUpdate in ext/misc/zipfile.c in |
| | | | | SQLite 3.30.1 mishandles a NULL pathname |
| | | | | during an update of a ZIP archive. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19925 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2020-9327 | sqlite3 | 3.27.2-3 | In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers |
| | | | | to trigger a NULL pointer dereference and segmentation |
| | | | | fault because of generated column optimizations. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2020-9327 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19959 | sqlite3 | 3.27.2-3 | ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain |
| | | | | uses of INSERT INTO in situations involving embedded '\0' |
| | | | | characters in filenames, leading to a memory-management |
| | | | | error that can be detected by (for example) valgrind. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19959 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2018-1000654 | libtasn1-6 | 4.13-3 | GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, |
| | | | | libtasn1-4.12 contains a DoS, specifically CPU usage |
| | | | | will reach 100% when running asn1Paser against the POC |
| | | | | due to an issue in _asn1_expand_object_id(p_tree), after |
| | | | | a long time, the program will be killed. This attack |
| | | | | appears to be exploitable via parsing a crafted file. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2018-1000654 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-7245 | pcre3 | 2:8.39-12 | Stack-based buffer overflow in the pcre32_copy_substring |
| | | | | function in pcre_get.c in libpcre1 in PCRE |
| | | | | 8.40 allows remote attackers to cause a denial |
| | | | | of service (WRITE of size 4) or possibly have |
| | | | | unspecified other impact via a crafted file. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-7245 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19924 | sqlite3 | 3.27.2-3 | SQLite 3.30.1 mishandles certain parser-tree rewriting, |
| | | | | related to expr.c, vdbeaux.c, and window.c. This is caused |
| | | | | by incorrect sqlite3WindowRewrite() error handling. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19924 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-7246 | pcre3 | 2:8.39-12 | Stack-based buffer overflow in the pcre32_copy_substring |
| | | | | function in pcre_get.c in libpcre1 in PCRE 8.40 |
| | | | | allows remote attackers to cause a denial of |
| | | | | service (WRITE of size 268) or possibly have |
| | | | | unspecified other impact via a crafted file. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-7246 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-16231 | pcre3 | 2:8.39-12 | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest |
| | | | | load test PoC produces a crash overflow in the function |
| | | | | match() in pcre_exec.c because of a self-recursive |
| | | | | call. NOTE: third parties dispute the relevance of |
| | | | | this report, noting that there are options that can |
| | | | | be used to limit the amount of stack that is used. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-16231 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19923 | sqlite3 | 3.27.2-3 | flattenSubquery in select.c in SQLite 3.30.1 mishandles |
| | | | | certain uses of SELECT DISTINCT involving a LEFT JOIN |
| | | | | in which the right-hand side is a view. This can cause |
| | | | | a NULL pointer dereference (or incorrect results). |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19923 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2004-0971 | krb5 | 1.17-3 | The krb5-send-pr script in the kerberos5 (krb5) package |
| | | | | in Trustix Secure Linux 1.5 through 2.1, and possibly |
| | | | | other operating systems, allows local users to overwrite |
| | | | | files via a symlink attack on temporary files. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2004-0971 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2018-5709 | krb5 | 1.17-3 | An issue was discovered in MIT Kerberos 5 (aka krb5) |
| | | | | through 1.16. There is a variable "dbentry->n_key_data" |
| | | | | in kadmin/dbutil/dump.c that can store 16-bit |
| | | | | data but unknowingly the developer has assigned |
| | | | | a "u4" variable to it, which is for 32-bit data. |
| | | | | An attacker can use this vulnerability to affect |
| | | | | other artifacts of the database as we know that a |
| | | | | Kerberos database dump file contains trusted data. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2018-5709 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2015-3276 | openldap | 2.4.47+dfsg-3+deb10u1 | The nss_parse_ciphers function in libraries/libldap/tls_m.c |
| | | | | in OpenLDAP does not properly parse OpenSSL-style |
| | | | | multi-keyword mode cipher strings, which might cause a |
| | | | | weaker than intended cipher to be used and allow remote |
| | | | | attackers to have unspecified impact via unknown vectors. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2015-3276 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-14159 | openldap | 2.4.47+dfsg-3+deb10u1 | slapd in OpenLDAP 2.4.45 and earlier creates a PID file |
| | | | | after dropping privileges to a non-root account, which |
| | | | | might allow local users to kill arbitrary processes by |
| | | | | leveraging access to this non-root account for PID file |
| | | | | modification before a root script executes a "kill `cat |
| | | | | /pathname`" command, as demonstrated by openldap-initscript. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-14159 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-17740 | openldap | 2.4.47+dfsg-3+deb10u1 | contrib/slapd-modules/nops/nops.c in OpenLDAP through |
| | | | | 2.4.45, when both the nops module and the memberof overlay |
| | | | | are enabled, attempts to free a buffer that was allocated on |
| | | | | the stack, which allows remote attackers to cause a denial |
| | | | | of service (slapd crash) via a member MODDN operation. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-17740 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-17522 | python2.7 | 2.7.16-2+deb10u1 | ** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 |
| | | | | does not validate strings before launching the program |
| | | | | specified by the BROWSER environment variable, which might |
| | | | | allow remote attackers to conduct argument-injection attacks |
| | | | | via a crafted URL. NOTE: a software maintainer indicates |
| | | | | that exploitation is impossible because the code relies |
| | | | | on subprocess.Popen and the default shell=False setting. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-17522 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2013-7040 | python2.7 | 2.7.16-2+deb10u1 | Python 2.7 before 3.4 only uses the last eight bits of |
| | | | | the prefix to randomize hash values, which causes it to |
| | | | | compute hash values without restricting the ability to |
| | | | | trigger hash collisions predictably and makes it easier for |
| | | | | context-dependent attackers to cause a denial of service |
| | | | | (CPU consumption) via crafted input to an application |
| | | | | that maintains a hash table. NOTE: this vulnerability |
| | | | | exists because of an incomplete fix for CVE-2012-1150. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2013-7040 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-11164 | pcre3 | 2:8.39-12 | In PCRE 8.41, the OP_KETRMAX feature in the match function |
| | | | | in pcre_exec.c allows stack exhaustion (uncontrolled |
| | | | | recursion) when processing a crafted regular expression. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-11164 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-18348 | python2.7 | 2.7.16-2+deb10u1 | An issue was discovered in urllib2 in Python 2.x through |
| | | | | 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF |
| | | | | injection is possible if the attacker controls a url |
| | | | | parameter, as demonstrated by the first argument to |
| | | | | urllib.request.urlopen with \r\n (specifically in the |
| | | | | host component of a URL) followed by an HTTP header. |
| | | | | This is similar to the CVE-2019-9740 query string issue |
| | | | | and the CVE-2019-9947 path string issue. (This is not |
| | | | | exploitable when glibc has CVE-2016-10739 fixed.) |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-18348 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-9674 | python2.7 | 2.7.16-2+deb10u1 | Lib/zipfile.py in Python through 3.7.2 allows |
| | | | | remote attackers to cause a denial of service |
| | | | | (resource consumption) via a ZIP bomb. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-9674 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2011-3374 | apt | 1.8.2 | It was found that apt-key in apt, all versions, do not |
| | | | | correctly validate gpg keys with the master keyring, |
| | | | | leading to a potential man-in-the-middle attack. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2011-3374 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2011-4116 | perl | 5.28.1-6 | _is_safe in the File::Temp module for |
| | | | | Perl does not properly handle symlinks. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2011-4116 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2020-1712 | systemd | 241-7~deb10u3 | https://security-tracker.debian.org/tracker/CVE-2020-1712 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-3843 | systemd | 241-7~deb10u3 | It was discovered that a systemd service that uses |
| | | | | DynamicUser property can create a SUID/SGID binary |
| | | | | that would be allowed to run as the transient service |
| | | | | UID/GID even after the service is terminated. A local |
| | | | | attacker may use this flaw to access resources that |
| | | | | will be owned by a potentially different service |
| | | | | in the future, when the UID/GID will be recycled. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-3843 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2013-4392 | systemd | 241-7~deb10u3 | systemd, when updating file permissions, allows local users |
| | | | | to change the permissions and SELinux security contexts for |
| | | | | arbitrary files via a symlink attack on unspecified files. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2013-4392 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-3844 | systemd | 241-7~deb10u3 | It was discovered that a systemd service that uses |
| | | | | DynamicUser property can get new privileges through the |
| | | | | execution of SUID binaries, which would allow to create |
| | | | | binaries owned by the service transient group with the |
| | | | | setgid bit set. A local attacker may use this flaw to access |
| | | | | resources that will be owned by a potentially different |
| | | | | service in the future, when the GID will be recycled. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-3844 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2010-0928 | openssl | 1.1.1d-0+deb10u2 | OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the |
| | | | | Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation |
| | | | | (FWE) algorithm for certain signature calculations, and does |
| | | | | not verify the signature before providing it to a caller, |
| | | | | which makes it easier for physically proximate attackers |
| | | | | to determine the private key via a modified supply voltage |
| | | | | for the microprocessor, related to a "fault-based attack." |
| | | | | https://security-tracker.debian.org/tracker/CVE-2010-0928 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-12904 | libgcrypt20 | 1.8.4-5 | In Libgcrypt 1.8.4, the C implementation of AES is |
| | | | | vulnerable to a flush-and-reload side-channel attack |
| | | | | because physical addresses are available to other |
| | | | | processes. (The C implementation is used on platforms |
| | | | | where an assembly-language implementation is unavailable.) |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-12904 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2018-6829 | libgcrypt20 | 1.8.4-5 | cipher/elgamal.c in Libgcrypt through 1.8.2, when |
| | | | | used to encrypt messages directly, improperly encodes |
| | | | | plaintexts, which allows attackers to obtain sensitive |
| | | | | information by reading ciphertext data (i.e., it does |
| | | | | not have semantic security in face of a ciphertext-only |
| | | | | attack). The Decisional Diffie-Hellman (DDH) assumption |
| | | | | does not hold for Libgcrypt's ElGamal implementation. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2018-6829 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2017-18018 | coreutils | 8.30-3 | In GNU Coreutils through 8.29, chown-core.c in chown |
| | | | | and chgrp does not prevent replacement of a plain file |
| | | | | with a symlink during use of the POSIX "-R -L" options, |
| | | | | which allows local users to modify the ownership |
| | | | | of arbitrary files by leveraging a race condition. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2017-18018 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-18934 | unbound | 1.9.0-2+deb10u1 | Unbound 1.6.4 through 1.9.4 contain a vulnerability |
| | | | | in the ipsec module that can cause shell code |
| | | | | execution after receiving a specially crafted |
| | | | | answer. This issue can only be triggered if unbound |
| | | | | was compiled with `--enable-ipsecmod` support, and |
| | | | | ipsecmod is enabled and used in the configuration. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-18934 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-18862 | mailutils | 1:3.5-3 | maidag in GNU Mailutils before 3.8 is installed setuid |
| | | | | and allows local privilege escalation in the url mode. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-18862 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2005-2541 | tar | 1.30+dfsg-6 | Tar 1.15.1 does not properly warn the user when |
| | | | | extracting setuid or setgid files, which may allow |
| | | | | local users or remote attackers to gain privileges. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2005-2541 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-9923 | tar | 1.30+dfsg-6 | pax_decode_header in sparse.c in GNU Tar before 1.32 |
| | | | | had a NULL pointer dereference when parsing certain |
| | | | | archives that have malformed extended headers. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-9923 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2013-0340 | expat | 2.2.6-2+deb10u1 | expat 2.1.0 and earlier does not properly handle |
| | | | | entities expansion unless an application developer uses |
| | | | | the XML_SetEntityDeclHandler function, which allows |
| | | | | remote attackers to cause a denial of service (resource |
| | | | | consumption), send HTTP requests to intranet servers, |
| | | | | or read arbitrary files via a crafted XML document, aka |
| | | | | an XML External Entity (XXE) issue. NOTE: it could be |
| | | | | argued that because expat already provides the ability to |
| | | | | disable external entity expansion, the responsibility for |
| | | | | resolving this issue lies with application developers; |
| | | | | according to this argument, this entry should be REJECTed, |
| | | | | and each affected application would need its own CVE. |
| | | | | https://security-tracker.debian.org/tracker/CVE-2013-0340 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Negligible CVE-2019-19882 | shadow | 1:4.5-1.1 | shadow 4.8, in certain circumstances affecting at |
| | | | | least Gentoo, Arch Linux, and Void Linux, allows local |
| | | | | users to obtain root access because setuid programs are |
| | | | | misconfigured. Specifically, this affects shadow 4.8 |
| | | | | when compiled using --with-libpam but without explicitly |
| | | | | passing --disable-account-tools-setuid, and without a |
| | | | | PAM configuration suitable for use with setuid account |
| | | | | management tools. This combination leads to account |
| | | | | management tools (groupadd, groupdel, groupmod, useradd, |
| | | | | userdel, usermod) that can easily be used by unprivileged |
| | | | | local users to escalate privileges to root in multiple |
| | | | | ways. This issue became much more relevant in approximately |
| | | | | December 2019 when an unrelated bug was fixed (i.e., |
| | | | | the chmod calls to suidusbins were fixed in the upstream |
| | | | | Makefile which is now included in the release version 4.8). |
| | | | | https://security-tracker.debian.org/tracker/CVE-2019-19882 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Unknown CVE-2020-1752 | glibc | 2.28-10 | https://security-tracker.debian.org/tracker/CVE-2020-1752 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
| �[1;36mApproved�[0m | Unknown CVE-2020-1751 | glibc | 2.28-10 | https://security-tracker.debian.org/tracker/CVE-2020-1751 |
+------------+-----------------------------+--------------+-----------------------+--------------------------------------------------------------+
section_end:1585877854:build_script
�[0Ksection_start:1585877854:after_script
�[0Ksection_end:1585877856:after_script
�[0Ksection_start:1585877856:upload_artifacts_on_failure
�[0Ksection_end:1585877857:upload_artifacts_on_failure
�[0K�[31;1mERROR: Job failed: exit code 1
�[0;m